A false sense of security
In light of the unceasing cyber-attacks against IP-strong industries, security experts are warning businesses to be much more thorough with their defence strategies. EGR Technology looks at the potential solution for warding off future threats
Today’s media is rife with reports of daunting, Skynet-style cyber-attacks, and is consistently barraging society with warnings that we are all at risk, all of the time. But cyber-security experts are swiftly assuring the wider business community it’s not all doom and gloom. Last month, beneath the towering spires of Cambridge University, key security stakeholders gathered with the unified mission to build a stalwart army of future “ethical hackers”. And the key message to come out of the inter-university C2C cyber-security challenge was: to instil a deep-rooted awareness of potential threats into absolutely everyone.
Considering the recent news of the NHS’s WannaCry data breach, and the leak of extremely compromising information by the Swedish government; large scale cyber threats, particularly targeting businesses and governments, are becoming increasingly prevalent and much more advanced. But beneath the surface, the avoidable issues are much the same.
“Everything that is new will have some aspects that can be exploited if it hasn’t been carefully designed. You just have to make yourself a little bit more protected and make sure that when they go around rattling all the doors in the neighbourhood, yours doesn’t open,” C2C tournament founder and Cambridge Professor of Sec-urity and Privacy, Frank Stajano, explains.
By bringing to light the flip side of the security story, experts like Stajano are eager to assure everyday computer users that by developing an awareness and a base-level understanding, they can protect themselves and their employers’ livelihoods.
The business of security
Director of global cyber-security solutions firm NCC Group, Tim Rawlins, believes cyber-security should be considered as one of the biggest risks to a firm. “This is something they have got to put onto the business risk register,” he says.
The Cambridge 2 Cambridge challenge brings together 110 of the brightest students from across the US and UK’s most renowned computer science universities. Co-founder and Cambridge Professor of Security and Privacy Frank Stajano reveals his aim is to encourage those with an aptitude for computer science to join the growing cyber-security community.
“This is the largest event we’ve done spanning three consecutive days. We have the backing of the Cabinet Office and the National Cyber Security Centre,” he notes.
The contest, described as an “ethical hacking event”, follows a series of complex tests and puzzles built into a platform developed by STEM-focused firm and competitive sponsor, Leidos. Each team is made up of five students from differing universities, a marked effort to encourage collaboration.
“We want them to socialise so when they are all chief security officers and other galactic level security professionals, they have the friends they made here in 2017 in Cambridge to call when they are faced with a cyber-attack. We are really building a collective group of clued up people, because if the bad guys are organised, we also have to be organised,” Stajano adds.
The top teams are able to scoop prizes of up to £20,000. “If we continue to get the appropriate backing we hope to expand to even more countries,” he comments.
“Across industries we see what’s known as digital debt, where people haven’t invested and companies have increasingly out-dated IT systems,” Rawlins explains. “With this digital debt, companies are more vulnerable to attack. The other issue is systems that were never designed with security in mind and now someone’s said ‘we’ve got to plug it in’.” To remedy this, NCC offers businesses bespoke security strategies at all stages of their digital journey.
Another cyber-defence giant is Leidos which provided the Cyber Nexus platform on which the C2C tournament was fought. Working predominantly with the US government on defence, the global company supplies businesses with internal training tools. “[The biggest threat to a business is] its employees. They can do things, non-maliciously, but accidentally. From an online gaming perspective you don’t want your clients to hack in and affect the game and disrupt that flow,” business operations manager for defence and intelligence, Hilary Stephens reveals.
Honing the right skills
Professor Stajano teaches undergraduate and masters courses to the future defenders of the digital domain. He, like Leidos, urges the private sector to consider factors outside of the intrinsic link between their technology and the threats it faces. “Security can only be meaningful as a system, it’s not just about the technology,” he divulges. “If you’re drawing too narrow a view of what you need to secure then you’re most likely going to have problems. You have to consider all the outer layers of the onion, including people and organisations, if want to make your system secure.”
GVC’s group CTO, Sandeep Tiku, recognised the value of honing his workforce to practice a meticulous and steadfast security strategy early on in the development and integration of the firm’s latest technology platform. “What you cannot underestimate is having the right set of people and right set of skills. We have a really strong security officer, infrastructure head and his team and other technical guys who work from layer to layer. Security is not about putting a lock on your platform but implementing things at different layers, at the firewall, UI, product, database, middleware and at every piece,” he comments.
Tiku also said targeted cyber threats were at the mercy of the firm’s proprietary hardware platform, adding: “Any piece I want to change is in my control to change, but others who depend on external suppliers take a lot more time. We can put a team together in 24 hours for those specific components and we are there.”
NCC Group’s Rawlins deems the online gambling industry to be a vanguard of cyber-security, at the forefront of “recognising the challenge to their business models”. He believes operators have accepted the fact that they need to face the threat, because their business models are reliant on hackers not being able to change the odds, or exploit any vulnerabilities in their systems.
One way businesses are able to join in on the collective fight against cyber-terrorism is with CiSP. The Cyber Security Information Sharing Partnership is described as “a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business,” says PhD student at Belfast’s Queen’s University, Stuart Millar.
“There are different CiSP groups around the UK made up of SMEs and more enterprise scale companies. They can put posts up in real-time to pre-warn others of attacks they’re under. There’s a traffic light system so you can flag your case based on how serious it is. Those who are subscribed to the platform will receive those updates,” he adds. The system was created in 2013, with the intention of encouraging engagement between industry and government counterparts in a secure environment.
CiSP memberships are available to all UK registered companies that have an electronic communications network within the UK. CiSP members receive cyber threat and vulnerability information from the ‘Fusion Cell’, a joint industry and government analytical team which examines, analyses and delivers feedback on cyber information from a wide variety of data sources.
As it stands CiSP is not widely publicised, despite having been online for the last four years. “Perhaps there should be more advertising around this collaboration,” Millar adds. As of May 2016 over 2,225 organisations and 6,150 individuals had signed up to the service. Its primary industry partners include BT, EE, KPMG, Lloyds Banking Group, Microsoft, Qinetiq and Virgin Media.
Consequently, Stockholm-listed operator Betsson recently revealed it was providing its 1,500-strong staff with an eLearning solution course to help them develop an understanding on how to safeguard their IT infrastructures. A statement released by course provider iGaming Academy said the solution would “illustrate to employees the importance of Information Security and why it’s business critical” as well as “[teaching] them how to protect confidential information and report actual or suspected data breaches”.
The blame game
Professor Stajano is quick to place blame for the lax approach to safekeeping on hardware developers, accusing them of exploiting customers’ lack of knowledge. “We need to develop a new mindset about developing software where security is not just an option, but is something designed within it from the start,” he explains. “To someone who does not have extensive security knowledge it all looks the same. There is not much incentive for the manufacturers of the systems to be very secure, they know nobody will pay extra because they don’t know the difference. The setting is one where security is not very valued on the developers’ side.”
He is counteracting the issue by forging a community of students and keen techies, and educating those future software engineers to be more competent. “You do need experts, and this is why we’re doing things like C2C to help bring up more people to close this gap.” Similarly, NCC’s Rawlins talks of “supplier assurance”, a concept that would no doubt be music to the ears of gambling operators. “How can you reassure yourself that your supply chain is delivering something safe and secure for you?” Rawlins questions. “That’s been a real challenge for a lot of companies.”
However, providers and suppliers are at the mercy of stringent regulation. The impending GDPR will have huge implications for data processors, requiring them to assign a data protection officer and be held accountable for any breaches to their systems. As the wider business world slowly gets clued up on cyber-security, regulators are slapping more precautionary laws on tech developers. GVC, for example, which provides a B2B platform for partnering operators, has a regulatory framework integrated into its technology to ensure it is consistently up to date with shifts in legislation.
Harmless vandalism to criminal activity
Threats have matured significantly in the 20 years that Stajano has been carrying out academic research in the area. “In the last decade we have seen what used to be just vandalism turn into criminal activity because they have now started to find ways to monetise the attacks. Traceability being difficult, there’s a feeling that you can do it with impunity. As a society we want to make sure that we can trace the attacks, and promise retribution to deter attackers from engaging in this activity.”
Nonetheless, Rawlins is quick to deflect any major worry over the growing threat of cyber-terrorism. “It’s not necessarily that we should all be up in arms, but we should all be thinking about it. It’s thinking about the process. For most companies security is something that IT does and that’s the attitude that has to change. Everybody should be involved,” he insists.