Tag Archives: cybercrime

As North Korean crypto-theft ramps up, it’s time for CISOs to prepare for a new reality at CLOUDSEC

by Ian Heritage

It has just emerged that North Korean hackers have made an estimated $2 billion from a long-running campaign targeting banks and cryptocurrency exchanges. The leaked UN report detailing the scheme to make money for the hermit nation’s illegal weapons programme is food for thought for CISOs everywhere. It’s proof of a new reality: that organisations must counter the threat from nation states as well as organised cyber-criminals.

At Trend Micro’s CLOUDSEC conference next month, UN Office on Drugs and Crime (UNODC) cybercrime and crypto-currency advisory Alexandru Caciuloiu will be on hand to share his wisdom.

Continue reading

Hear about the latest in cyber policing at CLOUDSEC

by Ian Heritage

Few people could dispute the vital role government strategy plays in efforts to tackle cybercrime and state-sponsored attacks. The security industry also plays a crucial part in developing products and generating key intelligence to keep organisations safe. But there’s a third essential pillar to these efforts: law enforcement. And the good news is, cross-jurisdictional operations are starting to generate significant results. But recent news from within the EU has shown us that education and societal intervention is just as important as arresting hardened criminals.

Industry professionals wanting to find out more about this valuable work should get down to Trend Micro’s annual CLOUDSEC event in London next month, where leading figures from law enforcement will be sharing their thoughts and expertise.

Arrests and interventions
Global police have been on a roll over the past couple of years, dismantling thriving dark web marketplaces like AlphaBay, Hansa, Wall Street Market and Silkkitie and disrupting major cybercrime rings like Rex Mundi. However, in Europe, there’s a potentially even more important operation currently being run.

The Hack_Right initiative isn’t designed to track down and arrest suspected cyber-criminals, but instead to step in to prevent first-time-offenders becoming serial hackers. It works quite simply: when police spot a possible cyber crime, they visit the suspect and explain what happened – offering the culprit a type of community service rather than pushing them towards the criminal justice system. In this way, the individual gets 10-20 hours of ethical hacking training and help and advice on possible career paths or further education.

It’s a remarkably mature and progressive approach to policing reflective of the fact that the average age of a convicted cyber-criminal is just 19, according to Dutch cyber police. So far the UK’s National Crime Agency (NCA), which is running the programme along with its counterparts in the Netherlands, has already spoken with 400 youngsters. It’s proof of the vital role law enforcers can play in providing a deterrent to would-be offenders. Time will tell how well it works, but it’s worth a shot: the economics of cybercrime and the ease with which tools and know-how can be bought on the dark web mean there will always be a lure for budding black hats.

Focus on policing at CLOUDSEC
An increasingly important part of the CISO’s role is to co-ordinate effectively with law enforcement. That may be in the event of a major cybersecurity breach, where time is of the essence in terms of incident response. Or it could be during outreach and education programmes run by the police themselves. Whatever the cause, it makes sense to get familiar with how policing works in the high-tech crime prevention space.

That’s where CLOUDSEC comes in. Trend Micro’s annual event in September will feature an impressive roster of speakers from law enforcement. There’s former head of the UK’s Police National Cyber Crime Unit, Charlie McMurdie; UN cybercrime advisor, Alexandru Caciuloiu; and others to be announced.

Make sure you reserve your place today!

What: CLOUDSEC 2019
When: 13 September 2019
Where: Old Billingsgate Market, London

The view from the CISO at CLOUDSEC 2019

by Ian Heritage

Modern IT security leaders are increasingly caught in the middle: of rapidly professionalising cyber-criminals, nation state hackers, and board demands for more agile, digital-centric systems. Knowing how to mitigate cyber risk whilst supporting business needs to become more efficient and flexible can be a thankless task. That’s why CLOUDSEC this year is devoting more of its time to real-life case studies.

Sometimes the best way to learn what may work for your company is not from a vendor presentation, but by hearing first-hand how a counterpart in another organisation has managed. With that in mind, we’re delighted this year to welcome Magnus Carling, Chief Information Security Officer at Swedish ferry operator Stena AB.

Under attack
The past week alone has seen a raft of stories that perfectly characterise the pressure CISOs are under today. On the one hand, digital transformation projects risk exposing the organisation to threats on a whole new scale. A new Nominet report reveals that 53% of security leaders view security as a top concern, with customer data (60%), cyber-criminal sophistication (56%), an increased attack surface (53%), visibility blind spots (44%), and IoT devices (39%) all cited as issues.

On the other, the threat landscape has never been more varied or fast-changing. BEC scams are rapidly emerging as one of the biggest money-makers out there for cyber-criminals: new stats from the US treasury department claim that these attacks made the bad guys over $300m each month in 2018. CISOs must balance these and other threats like ransomware and crypto-jacking with more traditional attacks including phishing and vulnerability exploitation. One new report claims that over 800,000 machines worldwide are still exposed to the critical Bluekeep flaw – putting them in the firing line of a possible global worm-like campaign.

Sharing best practice
Fortunately, help is at hand. Trend Micro’s CLOUDSEC event has, for five years now, been offering expertise from some of the industry’s biggest names. This year is no exception: it will feature representatives from the United Nations, and luminaries who used to head up the Police National Cyber Crime Unit and the White House CIO’s office, among others including Trend Micro experts.

But we’ve also tried to go one better than previous years, by inviting CISOs from large multi-nationals to share their war stories and provide insight into how they manage the challenges of being a security leader at a time of unprecedented volatility and risk. That’s why we’ve got Magnus Carling along to speak during an industry case studies section of the show. He’ll be joined by Frank Thomas – Senior Director of Security Platforms and Engineering at Thomson Reuters – and another IT security leader to be confirmed.

Magnus is a seasoned CISO with a quarter of a century’s experience ensuring cybersecurity is always a business enabler and not the block on innovation that it can often become. He can also speak with authority about the challenges of regulatory compliance: Stena AB has operations in five areas including ferries, offshore drilling, property and finance. That means Magnus must manage GDPR as well as NIS Directive and a patchwork of other industry regulations.

CLOUDSEC will take place this year in the historic surroundings of Old Billingsgate, the perfect backdrop to explore how technology and cyber threats are forcing traditional industries to rethink their approach in our modern digital age.

Tickets are selling fast, so book now to reserve your place at the show.

What: CLOUDSEC 2019
When: 13 September 2019
Where: Old Billingsgate Market, London

Major GDPR Fines Make the Case for Cyber Security

by Bharat Mistry

One of the most important and challenging parts of the CISO’s role is to communicate complex concepts into a language the board understands. Without this crucial skill, it might be difficult to secure much-needed top level buy-in for major projects and cultural change. That is, until now. With the advent of the GDPR, data protection, privacy and cyber security became a board-level issue. This week, things kicked up a notch further, with BA and Marriott fined over £282m (€313m) collectively by the UK regulator.

If they have been stonewalled in the past, now is the time for CISOs to make the case more urgently than ever for extra investment to mitigate the clear business risk of regulatory fines.

The phony war is over
The Information Commissioner’s Office (ICO) was instrumental in helping to draw up the GDPR, and it was acting as the lead supervisory authority on behalf of other EU Member State data protection authorities when it issued the fines this week. Marriott International was handed a penalty of just over £99m (€110) while British Airways was given a fine of over £183m (€204m). This amounts to 1.5% of its worldwide turnover in 2017, and significantly less than the possible maximum 4%. Both will appeal the size of the penalties, but one thing is clear: no board room anywhere in the world can ignore the potential impact of GDPR on their bottom line and corporate reputation.

In the case of Marriott, the firm’s woes were inherited from Starwood hotels group it acquired in 2016. But that’s no excuse, the ICO said. The hotel giant should have undertaken more effective due diligence and put in place “proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”. It’s also a US firm, but 30m of the 339m guest records exposed in the massive multi-year breach belonged to EU citizens. The reach of GDPR is global.

For BA, it was a 2018 breach of 500,000 customer records, including card numbers, travel booking details and names and addresses. Attackers compromised its website with notorious digital skimming code known as Magecart, in what appears to have been a highly targeted attack in which they did their best to stay hidden. Still, the ICO said it could and should have done better. The bottom line, said information commissioner Elizabeth Denham, is this: “When you are entrusted with personal data you must look after it.” This also sends a stark message that if you use 3rd-parties for any type of service or outsource then you should take adequate steps to ensure the supply chain is secure as you are still ultimately responsible and will be fined should there be a breach. 

Time to focus on security
There’s no silver bullet when it comes to GDPR compliance – just as there is no guaranteed way to remain 100% breach free. All organisations can do is to prove they have the best interests of their customers at heart, by following industry best practices and proven frameworks. As part of these best practices, we’d encourage a defence-in-depth approach to security combining a range of cross-generational threat protection techniques at server, endpoint and network layers.

Here are a few ideas:

  • Conduct a thorough data audit to work out what you process, where it flows and how high-risk it is
  • Apply appropriate security controls to that data. Endpoint, network, server and web/email gateway protection should ideally come from a single reputable provider. Trend Micro’s XGen approach offers a combination of connected threat defence techniques at each layer
  • Apply strong encryption to high-risk data at rest and in transit
  • Restrict access controls and apply multi-factor authentication (MFA)
  • Implement continuous networking monitoring for threats
  • Improve end-user education, with phishing simulation tools like Phish Insight
  • Keep all devices and software up to date
  • Follow best practice standards and frameworks, such as Cyber Essentials, BS 10012:2017 personal information management system (PIMS) and ISO 27001:2013 information security management system (ISMS)
  • Audit your supply chain to mitigate third-party risk and update contracts reflect the new GDPR regime

Most importantly, European firms must remember that compliance is not a destination that can be forgotten about once you reach it. Instead, it’s an ongoing journey that will require constant attention, and investment, as technology environments, the threat landscape, and regulatory requirements change.