The Weakest Link

Published by: Alastair Broom on March 10, 2017 in Security

As Logicalis’ Chief Security Technology Officer I’m often asked to comment on cyber security issues. Usually the request relates to specific areas such as ransomware or socially engineered attacks. In this article I’m taking a more holistic look at IT security.

Such a holistic approach to security is, generally, sorely lacking. This is a serious matter, with cyber criminals constantly looking for the weak links in organisations’ security, constantly testing the fence to find the easiest place to get through. So, let’s take a look at the state of enterprise IT security in early 2017, using the technology, processes and people model.

Technology

A brief, high-level look at the security market is all it takes to show that there are vast numbers of point products out there – ‘silver bullet’ solutions designed to take out specific threats. There is, however, little in terms of an ecosystem supporting a defence-in-depth architecture. Integration of and co-operation between the various disparate components is , although growing, typically weak or non-existent.

We’ve seen customers with more than 60 products deployed, from over 40 vendors, each intended to address a specific security issue. Having such a large number of products itself presents significant security challenges, though. All these products combined have their own vulnerability: support and manintenance. Managing them and keeping them updated generates significant workload, and any mistakes or unresolved issues can easily become new weak points in the organisation’s security.

The situation has been exacerbated by the rapidly increasing popularity of Cloud and Open Source software. Both trends make market entry significantly simpler, allowing new players to quickly and easily offer new solutions, targeting whichever threat happens to be making a big noise at the moment.

Just as poor integration between security products is an issue, so is lack of integration between the components on which they are built. Through weak coding or failure to make use of hardware security features – Intel’s hardware-level Software Guards Extensions (SGX) encryption technology is a good example – security holes are left open, waiting to be exploited.

The good news on the technology front is that we are seeing the early stages of the development of protocols, such as STIX, TAXII and CybOX, allowing different vendors’ products to interact and share standardised threat information. The big security vendors have been promoting the idea of threat information sharing and subsequent action for a while, but only within their own product ecosystems. It’s time for a broader playing field!

Processes

IT security is one of the most important issues facing today’s enterprise, yet, while any self-respecting board will feature directors with responsibility for sales, marketing, operations and finance, few enterprises have a board level CISO.

Similarly few organisations have a comprehensive and thoroughly considered security strategy in place, or proper security processes and policies suitable for today’s threat landscape and ICT usage patterns. A number of industry frameworks exist: ISO 27001, Cyber Essentials, NIST to name but a few; and yet very few organisations adopt these beyond the bare minimum to meet regulatory requirements.

Most organisations spend considerable sums on security technology, but without the right security strategy in place, and user behaviour in line with the right processes and policies, they remain at risk of serious breaches.

People

The hard truth is that some 60% of breaches are down to user error. Recent research obtiained through Freedom of Information requests found that 62% reported to the ICO are down to humans basically getting it wrong. People make poor password choices, use insecure public (and private!) WiFi, and use public Cloud storage and similar services without taking the necessary security precautions. They do not follow, or indeed even know, corporate data classification and usage policies. The list, of course, goes on.

Training has a part to play here, to increase users’ awareness of the importance of security, as well as the behaviours they need to adopt (and discard) to stay secure. However, there will come a point at which the law of diminishing returns kicks in: we all make mistakes – even the most careful, well trained of us.

We need to explore, discover and devise new ways in which technology can help, by removing the human element, where possible and desirable, and by limiting and swiftly rectifying the damage done when human error occurs. Furthermore, we need to leverage ever improving machine learning and artificial intelligence software to help augment human capability.

Enterprises need to work with specialists that can help them understand the nature of the threats they face, and the weak links in their defences that offer miscreants easy ways in. That means closely examining all aspects of their security from each of the technology, processes and people perspectives, to identify actual and potential weaknesses. Then robust, practical, fit-for-purpose security architectures and policies can be built.

For an outline of how this can work, take a look at Logicalis’ three-step methodology here or email us security@uk.logicalis.com to discuss your cyber security needs.

Leave a Reply Cancel reply

You must be logged in to post a comment.

WRITTEN BY Alastair Broom

Alastair Broom is Security Practice Lead for Logicalis UK where he is responsible for managing the UK Security Practice, defining the security strategy and roadmap and helping the Logicalis client base address their security challenges.

Alastair has held a number of senior Product Marketing and Product Management positions throughout his career and has lived through the evolution of the threat and regulatory landscape, helping customers protect their networks, data and brand.

Prior to Logicalis, Alastair was Security Line of Business Director at Dimension Data and managed the product & services portfolio at Integralis/NTT Com Security.

He has written several published articles/opinion pieces on a range of security related topics and has a degree in Electrical Engineering from the University of Nottingham.

All posts

Related
Most Recent
Most Popular

Showcasing IoT and security at Cisco Live Barcelona

Richard Simmons
January 25, 2019

If you’re heading to Cisco Live, make sure you visit the Logicalis booth (S6) to meet our Cisco, security and IoT experts and find out how we can help you enhance business agility through digital transformation.

Cisco Live EMEA takes place between 28 January and 1 February at the Fira Gran Via in Barcelona, and we’re exhibiting in the ‘World of Solutions’ as well as presenting during the Cybersecurity Partner Day. This annual customer conference aims to inspire IT leaders and champions of digital transformation. It presents a unique opportunity to acquire cutting-edge knowledge and skills on the technology that is already in use, and those that we’ll rely on in the future through meetings with, and presentations by Cisco experts and partners and unparalleled networking opportunities. And that’s where we come in

Logicalis has a long history and strong relationship with Cisco. We’re one of only six Global Gold Partners and in November last year we scooped 14 Partner Summit awards across multiple territories and categories.

Meet us in Barcelona

We’ll be on stand S6 in the ‘World of Solutions’ for the whole week, so feel free to pop by for a chat with one of the team, or to view one of two demonstrations.

Digital Network Architecture – a roadmap to digitisation
Find out how we integrate Cisco software defined access with industrial networking and IoT solution
Predictive threat analytics – automated detection and response
Discover how we integrate Cisco Stealthwatch with IBM QRadar to provide full context and rich visibility into security information and event management (SIEM) applications.

David Angulo, Security BDM Consultant from our team in Spain will also be discussing integrating Cisco’s Behavioural Analytics Technology Stealthwatch with IBM’s SIEM QRadar during the Cybersecurity Partner Day on January 28 at our booth at 4pm.

Plenty of ways to keep in touch if you can’t make it to Barcelona!

To keep up to date with all our activities make sure you follow us on social media.

Twitter – follow the UK team @LogicalisUK and the Spanish team @LogicalisES
LinkedIn – UK team and Spanish team.
The hashtags to look out for are #LogicalisatCLEUR and #CLEUR

Cisco will be live steaming a lot of the show, so if you want to feel like you’re there and watch in real time visit CiscoLive.com/emea or YouTube.

Category: News

Investing in IT to defend London’s public transport infrastructure

Alastair Broom
January 18, 2019

We spoke to Paul Graziano, Cyber Security Compliance Manager at Transport for London (TFL), about his job to defend the UK’s largest public transport network through innovative approaches.

The transport system is part of our critical national infrastructure – how do you see the cyber threat against this evolving?

I think cyber security within critical national infrastructure is becoming an increasingly complex task. A common security challenge is that many of the systems and devices we rely on were built when security wasn’t really an issue. They were designed for only a few people to have access to them. Now, more and more modern industrial control systems are being connected by IT Infrastructure, which is of course a positive thing.

However this means we don’t design ourselves into a position where we have to break in security to protect residency devices, which is what we’re currently working on. Instead of having security by design, we need to put the monitoring around these systems, so we know what users are accessing, know what they’re doing, as well as the network monitoring around these devices too.

What can we do to protect our critical infrastructure against attack

There’s no simple answer to this. In some ways, what we’re trying to do now is use a framework we’ve adopted in Information Technology (IT) to protect Operational Technologies (OT) which involves a security strategy. Security needs to start right from the beginning of the procurement of new systems and IT needs to make sure any new systems meet our security requirements.

I think we need to assume that we will be compromised. As long as the Security Operations team have that visibility, we will be able to respond to any incidents if need be and they’ll also need to be able to pull the plug in worst case scenarios.

A lot of work has been done within the government to help us out. The Centre for Protection of National Infrastructure (CPNI), a UK government body, released a number of frameworks for industrial control systems. They believe we should structure our industrial control systems to make them secure and deploy frameworks around them to achieve that.

What are your thoughts on the value of threat intelligence and and security analytics in the fight against cybercrime?

Both are extremely important and a vital part of Security Operations. Threat intelligence is a necessity as we need to understand what the new threats are and how that could morph into an attack on TFL.

Security analytics is just as important because to protect your network you need to have good visibility over it and you can only really achieve that through security log analytics. To do this you need to have the capability to sort logs from a range of sources and correlate these for suspicious activity. This enables you to benchmark it in order to understand what normal looks like and then you can look out for anomalies.

Will the Internet of Things change the way you address cyber crime?

Absolutely. Up until recently, the increasing number of devices being connected to the internet were mainly from the commercial side, but now it is entering the business side too. Every connected device is a potential target for botnet activities because they are not inherently secure, so they’re easily targeted and taken over as part of a larger attack. This is a very difficult problem to solve and we can’t be isolated as a business in dealing with it, there needs to be a consolidated effort.

How are you using virtualisation to transform your business?

TFL are hugely into virtualisation. A really good example of this would be TFL.gov.uk, our public facing API that’s used for TFL’s journey planner, which powers applications like Citymapper too.

In terms of its impact on our business, it has changed the way in which we think about new projects and new applications. Previously we had to rack up a new server every time we started a project. Now we can rapidly develop, build and test prototypes for new applications at very little cost. It gives us a lot of flexibility as we can scale up pretty much automatically when we need to, which we would never have been in a position to do before virtualisation.

There is a renewal aspect to it too, that if configured correctly, it’s relatively simple to spin up a new server if your prime one goes down. So there are many great benefits to virtualisation.

What other technologies would you suggest adopting in the fight against cyber-crime?

My idea is not so much a technology, but an awareness strategy. If you look at the number of the high profile attacks over the last year, a lot of them started with simple phishing attacks. Our spam filters will never be able to spot the first email from a newly setup phishing campaign and they’re purposefully designed to do that. One of the only ways to protect against this is to ensure our users are sufficiently trained to detect suspicious emails. I think improving communication with employees and making them aware of the impact an attack could potentially have, is vital.

In terms of actual technology, I think privileged identity access management is also key to a security team. It’s important to understand who has access to the most critical parts of your business as during a compromised attack, hackers will look for the business’ ‘crown jewels’.

One of the technologies that the industry is looking at more widely is called ‘deceptive security technology’, this is essentially a very old security component called a ‘honeypot’. A honeypot is a system that is built to be insecure and placed in a public part of your network. By doing so, you can see who finds it and what they do to it. This enables you to understand what sort of attacks are being targeted at it, providing a wider picture of the threat landscape. It is essentially a piece of proactive threat intelligence to find out if people are attacking parts of your network.

Thank you very much for answering all of our questions Paul and we wish you a fruitful career at TFL.

Category: Security

CIOs and the data security dilemma

Alastair Broom
January 2, 2019

With high profile breaches for the likes of Facebook, British Airways and Marriott fresh in the mind, it’s no surprise to see a backlash against the companies that hold our data and a new impetus to take back control. But how are CIOs tackling the information security challenge, and what do we expect the future to hold?

Assessing the threat

According to more than 840 CIOs that we interviewed for the sixth edition of the annual Logicalis Global CIO Survey, the role of the CIO is in flux. A traditional focus on “keeping the lights on” has seemingly given way to more strategic activities around service and product innovation as organisations take to the cloud and expand their IT estate. Despite all this, security continues to dominate CIO’s time and attention, with 93% saying that they devote between 10% and 50% of their time to information security – with 54% spending at least 30% of their time on it.

CIOs are right to remain vigilant, as all evidence points to the fact that threats are definitely increasing. We’re seeing no sign that external threats such as malware, ransomware, crypto-jacking and phishing are going anywhere, especially because it’s become even easier for the bad guys to launch these type of attacks. They’re low cost and have the potential to reach either massive or highly targeted audiences.

One trend that has emerged from the survey is that CIOs are now far more focused on the human dimension of cyber risk than before. Whilst the 2017 report cited external threats as the clear focus, this year’s findings saw lack of staff awareness and mistakes as a concern for more than half (56%) of CIOs, while 39% are concerned about malicious insiders. The human dimension is interesting, and we’d certainly say that people and process should always be the place to start. This attitude doesn’t particularly bear out in what we’ve seen before, however, as technology tends to take precedence over training.

The expansion of the IT footprint and the ever evolving threat landscape have clear implications for security, and most CIOs signal that they are moving away from a purely defensive footing to one of cyber resilience, which brings together defence with detection and recovery. More than a third (37%) of CIOs say their organisation now adopts a resilience-based information security footing. This stance will be aided by some element of automation within the process, as the rate at which threats are accelerating is outpacing our ability to develop skills. AI represents an opportunity to keep pace, particularly when it comes to threat detection and response. We’d expect developments in this area to focus on the ‘response’ part of this process, although it will require something of a cultural leap to allow technology to make decisions for us.

The value of data

Data breaches were cited as a concern by 54% of CIOs, demonstrating how CIOs are attuned to the broader debate around data privacy and management. Despite measures introduced this year, it’s still very difficult to understand and manage data permissions, for both consumers and the businesses that own their data, and there’s a lot more that needs to be done to clean up the ethics around this.

According to our CIO sample, the impact of GDPR has fallen far short of the dire predictions with nearly three quarters (71%) saying that GDPR passing into law has had no impact on their organisation at all. Based on what we heard from customers, GDPR was significantly overplayed and organisations became apathetic long before the May deadline. Faced by business trying to sell them solutions to address their GDPR requirements, a lack of understanding of what their liability was and a misconception that they were too small to be significant, fed-up businesses appear to have opted for a view that “we only need to be as good as our neighbour”.

It would be wrong to suggest that GDPR in, and of itself, had no effect. Rather that most organisations did a great job of implementation, as those with longer memories will recall from Y2K. The Logicalis Global CIO Survey also assessed the cost of GDPR compliance and, again, the reality fell well short of the hype. Though the average investment of up to £25,000 is not insignificant, it suggests that the process was well and efficiently handled.

So what happens now?

Even though the fines for non-compliance are considerable, we’d expect the biggest financial impact in a post GDPR world to be seen in class-action lawsuits arising as a result of data breaches. The huge numbers of customers affected by these large data breaches make this inevitable. But this also has the potential to be hijacked by ‘ambulance-chasers’, and our survey found that 6% of CIOs have already been targeted by opportunists seeking to profit from non-compliance. So expect those PPI and whiplash calls on your phone to be replaced by an automated voice asking about the data breach that compromised your personal information.

We’re certainly at the point now where data breaches should be viewed as ‘when’ and not ‘if’. We’d expect organisations to be increasingly turning to encryption as a way to minimise the impact when a breach does happen, a trend that has been slow to date because of the costs associated. Perhaps the threat of users removing their personal data, and a greater understanding of its value to the business world will be the catalyst this needs.

Category: Security

Women in Channel Awards – meet Sarah

Jen Molyneux
October 3, 2019

Name: Sarah Pidgeon

Role: Sales Operations Manager

Nominated for: Sales Employee of the Year award

Sarah is an inspiration because… of her strong work ethic and enthusiasm. She’s managed large teams and absolutely thrives as a leader. She is also continually mentoring other women within the business to facilitate their progression. Her diligence and determination means she is trusted to support the entire sales process and has the highest level of responsibility in this area.

Why we love Sarah “Quite simply, Sarah is an awesome human being who puts everyone and everything before herself: she regularly does amazing things which she thinks are normal” Gary Lomas, Sales Director

Sarah is a huge Chris Moyles fan!

Congratulations to all of the very worthy shortlisted nominees who have worked hard to be in a position where they are considered for such a prestigious award. We’re looking forward to the awards ceremony on 17 October where we’ll find out who will be lifting the trophy.

Category: Women in IT

Women in Channel Awards – meet Reg

Jen Molyneux
October 3, 2019

Name: Reg Bluman

Role: Marketing Programme Manager

Nominated for: The Rising Star award

Reg is an inspiration because… she gets stuck in and she’s very tenacious. She’s not afraid to strip activities and processes back in order to enable new and better ways of working. Always happy diving into unfamiliar territory, she uses her voracious appetite to learn get to where she needs to be.

Why we love Reg: “Reg radiates positive energy in everything she does. She works with a sense of urgency, is not afraid of new challenges and has a lot of fun along the way. She takes responsibility and always follows through on what she says she’ll do. I think we should all be a little more Reg!” Natasha Darbyshire, Head of IT.

Reg used to be a snowboard instructor in her native Colorado

Category: Women in IT

Women in Channel Awards – meet Amanda

Jen Molyneux
October 3, 2019

Name: Amanda Nelson

Role: Head of Sales Support

Nominated for: Manager of the Year award

Amanda is an inspiration because… of her leadership skills and the strong relationships she has built with her team of 25. She understands the challenges that accompany being a woman in a male-dominated industry and makes it a priority to understand and mentor them, where necessary paying extra attention to building confidence among female members of the team. She encourages all her team-members to play on their strengths and combine their logical intuition with keen insight

She encourages all her team-members to play on their strengths and combine their logical intuition with keen insight.

Why we love Amanda: “Amanda genuinely cares about our development and success and she often goes above and beyond in looking out for us. She has amazing attention to detail: her preparation skills are second to none and she supports us in anything we do, even outside of work”
Jake Taylor, Billing Administrator.

Amanda , on the left, recently completed a 25km charity trek across the bridges of the Thames – which shows her determination as she usually drives the 300 yards it takes to get to the local shops!

Category: Women in IT

Women in Channel Awards – meet Kate

Jen Molyneux
October 3, 2019

The CRN Women in Channel Awards take place every year to shine a light on the IT leaders, influencers, exceptional employees and role models who will inspire the next generation. We’re extremely proud to have four of our wonderful women in the shortlist. Meet Kate who is nominated for the Rising Star award. Name: Kate Dadlani Role: Chief Information Security and Data Protection Officer Nominated for: The Rising Star award Kate is inspirational because… since joining Logicalis 18 mont...

Category: Women in IT

Women in Channel Awards – meet Reg

Jen Molyneux
October 3, 2019

The CRN Women in Channel Awards take place every year to shine a light on the IT leaders, influencers, exceptional employees and role models who will inspire the next generation. We’re extremely proud to have four of our wonderful women in the shortlist. Meet Reg who is nominated for the Rising Star award. Name: Reg Bluman Role: Marketing Programme Manager Nominated for: The Rising Star award Reg is an inspiration because… she gets stuck in and she’s very tenacious. She’s not afraid...

Category: Women in IT

What are you wearing to IBM Think?

Richard Simmons
October 2, 2019

We’re excited to once again be taking part in Think Summit London, IBM’s flagship business and technology conference. Taking place on Wednesday 16 October at Olympia London the event will feature tech talks, immersive experiences, topical debates and thought-provoking guest speakers. We’ll be present at in the Data & AI Campus where our team will be demonstrating how organisations can unlock the benefits of IoT data with analytics. Our visitors will be able to experience the Smart M...

Category: Information Insights / IOT

Categories

Digitally Speaking

Latest Tweets