Stop Band-aiding your Cyber risk strategy with training

It wasn’t too long ago that sophisticated executives could have long, thoughtful discussions on technology strategy without even mentioning security. Today, companies have substantial assets and value manifested in digital form, and they are deeply connected to global technology networks – even as cyber attackers become ever more sophisticated and adaptable to defenses.

At most companies, boards and senior executives acknowledge the serious threats that cyberattacks pose to their business. What they are not sure of is how to create a strategy that helps them understand and address the threats, in all their forms, today and in the years ahead. And they’re asking for such a strategy every day.

Increasingly, the online world has grown complex and threatening. Many organizations are finding it hard to reconcile the level of their cybersecurity innovation investments with the cyber resilience outcomes for their business. Even worse, choosing the wrong strategy to invest in cybersecurity technologies can cost the organization far more than wasted cash; it can damage an organization’s brand, reputation, and future prosperity.

Both C-suite and security professionals should feel encouraged. Investment in innovation is increasing and managing the basics appears to be better. But scratch below the surface and there are hidden threats. Organizations face unsustainable costs, and security investments are often failing for the majority. With low detection rates and slow recovery times, it is important to find out what the leading organizations are doing differently to achieve cyber resilience. The good news is that most organizations, on average, spend 10.9 percent of their IT budgets on cybersecurity programs.

Leaders spend slightly more at 11.2 percent which is insufficient to account for their dramatically higher levels of performance. And their investments in advanced technologies, such as artificial intelligence, machine learning or robotic process automation, are rising substantially. Today, 84 percent of organizations spend more than 20 percent of their cybersecurity budgets on tools that use these three technologies as fundamental components. The finding represents a good step up from the 67 percent being spent three years ago. The increase is even more impressive with respect to the leaders. Three years ago, only 41 percent of leaders were spending more than 20 percent of their cybersecurity budgets on advanced technologies. Today, that has doubled, to 82 percent.

At first glance, the basics of cybersecurity are improving and cyber resilience is on the rise. The latest research in the market shows that most organizations are getting better at preventing direct cyberattacks. But in the shape-shifting world of cybersecurity, attackers have already moved on to indirect targets, such as vendors and other third parties in the supply chain. It is a situation that creates new battlegrounds even before they have mastered the fight in their own backyard.

At the same time, cybersecurity cost increases are reaching unsustainable levels and, despite the hefty price tags, security investments often fail to deliver. As a result, many organizations face a tipping point. There is good news for organizations wondering if they will ever move beyond simply gaining ground on the cyber attacker. Analysis by Accenture reveals there is a group of standout organizations that appear to have cracked the cybersecurity code for innovation.

The BBC recently reported that researchers have discovered major security flaws—which affect flood defenses, radiation detection, and traffic monitoring—in the infrastructure for major cities in the United States and Europe. Of those flaws, nearly ten are deemed “critical,” meaning that a cyberattack on these systems would have a debilitating impact on essential infrastructure, including power grids, water treatment facilities, and other large-scale systems. It seems like the stuff of disaster films: A major city loses power. Huge amounts of the population panic. The roads clog. Planes are grounded. Coordinating a rescue effort— even communicating with the public—would be a colossal task.

Detailed modeling of cybersecurity performance has identified two distinct groups: the first an elite group—17 percent—that achieve significantly higher levels of performance compared to the rest. These organizations set the bar for innovation and achieve high-performing cyber resilience. The second is the group forming the vast majority of our sample—74 percent—who are average performers, but far from being laggards in cyber resilience. This second group has lessons to learn from leaders while leaders, too, have further room for improvement.

Being innovative in security is different from any other aspect of the business. Caution is necessary. After all, a fail-fast approach is not an option for security where attack vulnerabilities could be catastrophic. Growing investments in innovation illustrate organizations’ commitment to prevention and damage limitation. And it is here that leaders excel. By focusing on the technologies that provide the greatest benefit and sustaining what they have, they are finding themselves moving fast and first in the race to cyber resilience.

What is one key to secure innovation?

Companies are using all kinds of sophisticated technologies and techniques to protect critical business assets. But the most important factor in any cybersecurity program is trust. It undergirds all the decisions executives make about tools, talent, and processes. Senior business leaders and the board may see cybersecurity as a priority only when an intrusion occurs, for instance, while the chief security officer and his team view security as an everyday priority, as even the most routine website transactions present potential holes to be exploited.

Leaders now show us that they scale, train and collaborate more. So, while non-leaders measure their success by focusing on the destination— improved cyber resilience—the leaders focus on how to get there using warp speed to detect, mobilize and remediate.

IBM Survey: Pandemic-Induced Digital Reliance Creates Lingering Security Side Effects” – IBM, 15 June 2021.
Individuals created 15 new accounts on average during the pandemic, with 82% reusing passwords across accounts. According to the report, user behavior showed strong preferences for convenience outweighing security and privacy concerns, leading to poor choices around passwords and other cybersecurity behaviors. This lax user approach to security, combined with rapid digital transformation by businesses during the pandemic poses a big risk to companies and provides attackers with further opportunities to propagate cyberattacks across industries. These poor personal security habits carry over to the workplace.

RockYou 2021: largest password compilation of all time leaked online with 8.4 billion entries” – Cybernews, 7 June 2021.
A massive 100 gigabyte text file containing 8.4 billion entries and passwords that was combined from previous data leaks and breaches was published on a popular hacker forum.

Hackers Breached Colonial Pipeline Using Compromised Password”Bloomberg – June 4, 2021.
Investigators suspect hackers got the password from a dark web leak. Hackers gained entry into the Colonial Pipeline networks through a dormant virtual private network account that was no longer in use at the time of the attack but could be used to access their network. This account’s passwords have been leaked with a batch of other passwords on the dark web. This account also used a simple username and password without any other means for authentication. The hackers also stole nearly 100 gigabytes of data which they threatened to leak if the ransom wasn’t paid. This hack caused a shutdown of the pipeline causing a fuel crisis on the East Coast. This shutdown lasted more than a week.

“SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president” – Reuters, 14 Feb 2021.
The SolarWinds attack Hackers compromised a routine software update that gave them access to potentially up to 18,000 companies and government institutions globally. The hackers roamed around the networks of these companies for nine months before they were finally discovered. It will take months to identify the compromised systems and shut down the breaches. The breach of customer systems came through a small software vendor in the supply chain.

The above is just a couple of the recent examples of cyber breaches, from very sophisticated breaches such as the SolarWinds breach to less sophisticated breaches causing weeklong shutdowns in the Colonial Pipeline example. The hacks and breaches are becoming more frequent and more costly as attach surfaces are growing across the full supply and value chains of companies.

52% of email users failed to detect an actual phishing email. GreatHorn survey, September 2020.

Looking at these large-scale breaches, and trends that the attack surfaces are now extended throughout a companies’ supply and value chains, this puts companies at increased risk and it is clear that there is still a lot more work to be done when it comes to Cyber Risk management.

Yet, most companies still rely on the basis of employee training on phishing, basic pen testing, updating and creating more policies, more training on the policies, and some aspects of multi-factor authentication and VPN’s to try and secure the companies’ information systems.

Why do most companies still think this approach is enough and the responsibility of the IT and the Risk teams in the organization?

THIS IS NO LONGER A SUSTAINABLE APPROACH!

With the increased risk of the business being shut down for days and weeks on end due to ransomware attacks, stricter data privacy legislation and resulting fines, the cost to the business when an attack happens can potentially cripple the business for years to come or potentially shut the business down.

So, what do companies need to look at or change?

Let’s look at this question based on the current top trends around Cyber Risk to companies.

  • Ransomware continues to be one of the top threats to companies. The predominant way hackers gain access is still through phishing and simple password access. Operational processes of on- and off-boarding of employees, vendors, contractors across the company’s business network become critical. This requires a review of all digital touchpoints of all users across all systems in the company and reviewing if the security technology in place addresses the risk sufficiently. The fewer manual processes to manage digital credentials across all these touchpoints, the better. Multi-factor and zero-trust-based authentication is a must and all simple username and passwords credentials usage need to be eradicated across all systems.
  • Supply Chain attacks are growing and increasing the risk of attacks through a vendor or partner’s system that is integrated into the company’s information systems. This requires a cyber approval plan and constant auditing of the vendor and partner systems as it relates to all the digital touchpoints of their software or systems into the company’s networks and information systems.
  • The way we work has changed with a larger remote work force whose home networks and systems are outside the “Secure” corporate environment creating a higher risk of hacker access through unsecured wireless networks. The user behavior changes of more lax approaches to security and data privacy require more training and awareness and the potential deployment of additional security technologies to provide better security to the remote worker’s home networks. This also will require a review of the company’s overall policies on bring-your-own-device, employee conduct and how to govern employee behaviors. Security has now also become an HR matter.
  • Stricter compliance. The SolarWinds attack prompted new US government legislation and requirements being drafted with stricter compliance and standards around investigations of cyber events and standards for software development for companies dealing with government institutions. Companies will require CMCC (Cybersecurity Maturity Model Certification) control standards for companies working with Government institutions in the US. This model encompasses multiple domains, processes for each of these domains, capabilities and practices that measure a contractor’s capabilities, readiness and sophistication in the area of cybersecurity. New compliance standards will drive up the cost of doing business in much bigger ways than what Sarbanes Oxley has done for corporate financial reporting.
  • Stricter data and privacy legislation with more punitive fines. This requires a full evaluation of data vulnerabilities throughout the company as well as the company’s supply chain and coming up with clear plans and strategies on how to mitigate these.

Cyber Security is no longer just a “nuisance” add-on or cost. It needs to form a clear part of a company’s strategy and has become a key cornerstone in the Digital strategy of the company.

With the dawning era of The Internet of Things (IOT), cybersecurity affects the entire business model. Adequately addressing the threat means bringing together several business perspectives – including the market, the customer, production, and IT. Most often, the CEO is the only leader with the authority to make cybersecurity a priority across all of these areas. We believe that the issue of cybersecurity in many cases will require senior executive or even CEO initiative.

It is time to re-draw plans based on zero trust security principles and establish clear frameworks from the top down throughout all groups of the organization for monitoring, controlling, detecting, mitigating and responding to the increasing cyber threat.

As we have discussed earlier, as soon as one breach avenue has been foiled, attackers are quick to find other means. With the growth in indirect attacks, the spotlight falls on protecting third parties and other partners. But there are enormous challenges in managing third-party cyber risks. Large volumes of data can overwhelm the teams responsible for managing compliance.

The complexities of global supply chains, including the regulatory demands of various regions or countries, add to the strain. In our experience, many CISOs feel that the sizable number of vendors outstrips their capacity to monitor them. Given finite security resources, there is value in a data-driven, business-focused, tiered-risk approach to secure the enterprise ecosystem. This may mean introducing managed services to help the organization tackle the wider scope and scale.

By collaborating more broadly with others with the common goal of securing the enterprise and its ecosystem, organizations can not only play a responsible role in helping their smaller partners to beat cybercrime, but also they can be sure they are not bolting the front door from attackers while leaving the back door wide open.

A core group of leaders has shown that cyber resilience is achievable and can be reproduced. By investing for operational speed, driving value from these investments, and sustaining what they have, they are well on the way to mastering cybersecurity execution. Leaders often take a more considered approach to their use of advanced technologies by choosing those which help deliver the speed of detection and response they need to reduce the impact of cyberattacks.

And once they do decide to invest, they scale fast—the number of leaders spending more than one-fifth of their budget in advanced technologies has doubled in the last three years. The combined result is a new level of confidence from leaders in their ability to extract more value from these investments— and by doing so, exceed the performance levels of the non-leaders.

With two out of five cyberattacks now indirect, organizations must look beyond their own four walls to their broader business ecosystems. They should become masters of cybersecurity execution by stopping more attacks, finding and fixing breaches faster and reducing breach impact. In this way, they can not only realize security innovation success but also achieve greater cyber resilience.

Finally, cybersecurity remains much talked about, yet underleveraged as a differentiating factor on the business side. With the advent of the IoT, there is a real opportunity to move ahead and designate the security of products, production process, and platforms as a strategic priority. The breadth of the challenge spans the entire supply chain and the whole product lifecycle and includes both the regulatory and the communication strategy. For CEOs in leading IoT and Digital organizations, we believe cybersecurity should be at the top of the agenda until rigorous processes are in place, resilience is established, and mindsets are transformed.

As Stephane Nappo, Global Head Information Security for Société Générale International once said:

“The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats. Apply open collaborative innovation, systems thinking & zero-trust security models to design IoT ecosystems that generate and capture value in value chains of the Internet of Things.”

 

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping the latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programs for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Predictions for the start of 2020

2019 was definitely an interesting year!

As Abraham Lincoln once said: “The best way to predict your future is to create it.”

It’s hard to imagine that we’re living in the year 2020. Though we’ve seen plenty of impressive technological advances, like artificial intelligence and phones that unlock by scanning our faces, it’s not quite the world of flying cars and robot butlers people once imagined we’d have by now.

As crazy as these all seem, the world is on track for some spectacular innovations in 2020. Privately operated space flights, self-driving taxis and increases in cyberwarfare would have all seemed like science fiction a few decades ago, but now they’re very real possibilities.

So, let’s have a look at some of the expectations for 2020:

Space Travel
Humans living on other planets is a staple in sci-fi, but it’s growing closer to reality thanks to private space travel initiatives.

As greater advances in space travel are made, the media’s interest will be revitalised. Those private companies will likely capitalise on that attention, which could lead to opportunities to bid on government contracts. Jobs will be created. Auxiliary innovations will be developed. And our chance to become a multiplanet species will (infinitesimally) increase.

Self-Driving Cars

Ride-hailing services are already part of everyday life, but self-driving cars are set to cause seismic changes to the industry. Once safety concerns are addressed, many passengers might find that they prefer being driven by a computer rather than a nosy human. And implementing a network of self-driving cars will be crucial in order for these platforms to finally make a profit.

Companies may adapt to self-driving cars as well. Autonomous transport obviates the need for large fleets of corporate cars. Transportation costs for employees could be drastically reduced. The company could get depreciating assets off the books. And energy efficiency would increase. It’s a win-win-win.

Cybersecurity

Cybersecurity continues to grow in importance as more of our information moves online. Unfortunately, we’ve seen how woefully unprepared even trusted sectors like finance and government can be when it comes to keeping data safe.

No one wants their credit card information appearing on a hacker’s forum, so cybersecurity is crucial for any company doing business online. Cyberattacks are becoming more sophisticated, but fortunately, innovation in countermeasures has surged forward as well. Going into the next year, the cybersecurity industry will likely grow, assisted by cutting-edge technology like artificial intelligence (AI) and machine learning.

We are amidst the 4th Industrial Revolution, and technology is evolving faster than ever. Companies and individuals that don’t keep up with some of the major tech trends run the risk of being left behind. Understanding the key trends will allow people and businesses to prepare and grasp opportunities.

Artificial Intelligence (AI) is one of the most transformative tech evolutions of our times. Most companies have started to explore how they can use AI to improve the customer experience and to streamline their business operations. This will continue in 2020, and while people will increasingly become used to working alongside AIs, designing and deploying our own AI-based systems will remain an expensive proposition for most businesses.

For this reason, much of the AI applications will continue to be done through providers of as-a-service platforms, which allow us to simply feed in our own data and pay for the algorithms or compute resources as we use them.

Currently, these platforms, provided by the likes of Amazon, Google, and Microsoft, tend to be somewhat broad in scope, with (often expensive) custom-engineering required to apply them to the specific tasks an organization may require. During 2020, we will see wider adoption and a growing pool of providers that are likely to start offering more tailored applications and services for specific or specialized tasks. This will mean no company will have any excuses left not to use AI.

The 5th generation of mobile internet connectivity is going to give us super-fast download and upload speeds as well as more stable connections. While 5G mobile data networks became available for the first time in 2019, they were mostly still expensive and limited to functioning in confined areas or major cities. 2020 is likely to be the year when 5G really starts to fly, with more affordable data plans as well as greatly improved coverage, meaning that everyone can join in the fun.

Super-fast data networks will not only give us the ability to stream movies and music at higher quality when we’re on the move. The greatly increased speeds mean that mobile networks will become more usable even than the wired networks running into our homes and businesses.

Companies must consider the business implications of having super-fast and stable internet access anywhere. The increased bandwidth will enable machines, robots, and autonomous vehicles to collect and transfer more data than ever, leading to advances in the area of the Internet of Things (IoT) and smart machinery.

Extended Reality (XR) is a catch-all term that covers several new and emerging technologies being used to create more immersive digital experiences. More specifically, it refers to virtual, augmented, and mixed reality. Virtual reality (VR) provides a fully digitally immersive experience where you enter a computer-generated world using headsets that blend out the real world.

Augmented reality (AR) overlays digital objects onto the real world via smartphone screens or displays (think Snapchat filters). Mixed reality (MR) is an extension of AR, that means users can interact with digital objects placed in the real world (think playing a holographic piano that you have placed into your room via an AR headset).

These technologies have been around for a few years now but have largely been confined to the world of entertainment – with Oculus Rift and Vive headsets providing the current state-of-the-art in videogames, and smartphone features such as camera filters and Pokemon Go-style games providing the most visible examples of AR.

With so many changes to our technology coming so fast, it can be hard to grasp the sheer scale of innovation underway. The list above highlights some of the more interesting developments, but is far from exhaustive. Whatever happens, 2020 will be an interesting year for major tech companies and budding entrepreneurs alike.

2020 will be a year of reckoning for those that have held on too long or tried to bootstrap their way through transforming their business.

Simply put, the distance between customer expectations and the reality on the ground is becoming so great that a slow and gradual transition is no longer possible. Incrementalism may feel good, but it masks the quiet deterioration of the business.

Whether CEOs in these companies start to use their balance sheet wisely, find new leaders, develop aggressive turnaround plans, or do all of the above, they and their leadership teams must aggressively get on track to preserve market share and market standing.

Purposeful Discussions cover

Finally, 2020 brings ‘Purposeful Discussions’ which is now my fifth book in a series of books that provide purpose driven outcomes in support of some of the most talked-about subjects in life today. This book demonstrates the relationship between communications (human 2 human), strategy and business development and life growth. It is important to understand that a number of the ideas, developments and techniques employed at the beginning as well as the top of business can be successfully made flexible to apply.

As Swami Vivekananda once said:

“Take up one idea. Make that one idea your life – think of it, dream of it, live on that idea. Let the brain, muscles, nerves, every part of your body, be full of that idea, and just leave every other idea alone. This is the way to success.”

What can we all learn from the cyber threat landscape of 2018?

Every year, as a co-founder and member of the Neustar International Security Council, I attend The Neustar Cyber Summit, this year the summit was held at the OXO Tower in London and there really were some very interesting findings from the summit which I would like to share.

Rodney Joffe, Chairman of NISC, started to discuss where the Internet of Things fits into the equation.

‘The first thing to recognize is that the Internet of Things is a new phrase for something that’s existed for years. The only difference is scale.
Sometime in the late 1970s or early 1980s, some computer science students wired a Coca-Cola vending machine to the Internet. The students wanted to solve the problem of walking down three flights of stairs to the lobby only to discover there weren’t any cold Cokes in the machine.
It was one of the first devices wired to the Internet, and anyone could connect to it and ask for the status of the Cokes. So IoT isn’t really new. It’s probably best defined as all of the devices that can be connected to the Internet that don’t necessarily look like traditional computers. Items like smart power meters, smart lightbulbs and modern home thermostats, all the way to critical medical appliances and devices, jet engines and power turbines.

Because everyone is now focused on the IoT, we’re trying to develop rules around how all people, places and things interconnect. But millions of devices and things that are out there already are not secure, so we have to find ways of securing them and making sure that everything that gets added in the future is secure.
It’s no big deal if the Coke machine is wrong, but what if a nuclear-generating turbine goes down or if all the air-conditioning systems in a city go on at the same time because the smart meters that control the smart homes were compromised?

The other thing to recognize is that the industrial IoT is much larger than the consumer IoT. The breach of Target customer credit cards started when network credentials were stolen from an air-conditioning filtration vendor that had serviced various Target stores. Those credentials were used to hack into Target’s system, then install malware on a large number of the chain’s point-of-sale devices. The end result was brand damage for Target that has reverberations today.

The facts are, in 2016, we saw a number of huge attacks — many that exceeded 1Tbps. In 2017, by contrast, we saw fewer large distributed denial-of-service (DDoS) attacks, possibly because hackers were finding little advantage in taking a company completely offline. Another explanation is that hackers were simply enjoying the success of the previous year’s myriad of extortion and ransomware-oriented attacks, as well as the many DDoS associated data breaches.

So far in 2018, however, the big attacks are back with a vengeance. Earlier this year we saw the largest DDoS attack ever recorded — 1.35Tbps — using a new type of attack called Memcached, which will be discussed later. Then, a 1.7Tbps DDoS attack was recorded. Previous amplification attacks, such as DNSSEC, returned a multiplication factor of 217 times, but Memcached attacks returned amplification records exceeding 51,000 times! In fact, the potential return from Memcached attacks is so large that they do not require the use of botnets, making them a new and dangerous risk vector.

We are hoping that these attacks will go the way of the Simple Service Discovery Protocol (SSDP) amplification attacks, which used the protocol designed to advertise and find plug-and-play devices as a vector. SSDP amplification attacks are easily mitigated with a few simple steps, including blocking inbound UDP port 1900 on the firewall. There are similar steps that organizations can take to mitigate Memcached attacks, including not exposing servers and closing off ports, but until then, Neustar is prepared.

This year we are also seeing different uses for DDoS beyond simple volumetric attacks, including what we call quantum attacks. Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation. These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.
This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

Neustar recently thwarted what is believed to be the first IPv6 attack. This attack presented a new direction that attackers are likely to pursue as more and more companies adopt IPv6 and run dual IPv4/IPv6 stacks. We believe that IPv6 vectors will continue to emerge as organizations around the world move to adopt the new standard.

You can also expect to see more Layer 7 (application layer) attacks, including those targeting DNS services with HTTP and HTTPS requests. These attacks are often designed to target applications in a way that mimics actual requests, which can make them particularly difficult to detect. It is important to note, however, that Layer 7 attacks are typically only part of a multi-vector DDoS attack. The other parts are aimed at the network and overall bandwidth.

DDoS attacks can be found in a multitude of sizes and for any reason imaginable. They can now be used to find vulnerabilities, to locate backdoors for exfiltration, and as a smokescreen-like distraction for other activities. Today’s organized criminals are able to focus on the results that they want and simply buy or rent the malware or botnets they need to get there. Some have gone so far as to comment that criminals are getting more and more like corporations, each with their own specialization.

The simple fact is that if you’re online, you’re susceptible to an attack. Whether you are vulnerable or not is entirely up to you.

The summit and Rodney Joffe’s keynote was incredibly insightful, but where does that leave us today and how can we guard against such threats in our business and personal lives?

A New York Times report reveals another cyberattack using stolen NSA hacking tools, and experts warn computer systems are not prepared for even more widespread attacks likely in the future. Max Everett, the managing director at Fortalice Solutions, joins CBSN to discuss the threat.

Cybersecurity expert warns the world is not ready.

We can all agree over the course of 2018, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cyber security landscape. Traditional threats such as generic trojans, ransomware and spam bots were transformed.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers.
Powered by military-grade code allegedly leaked from the NSA, threats such as WannaCry and GoldenEye wrought havoc throughout, shutting down businesses and causing unprecedented operating losses.

The effectiveness of these threats has been compounded by novel lateral movement vectors that augment zero-day exploits such as EternalBlue and EternalRomance, allowing malware to ‘hop’ from one network to another, from organisation to organisation. These targeted attacks are reshaping corporate and government digital security, whilst simultaneously causing fallout in the consumer space.

Ransomware specifically aimed at companies has also become far more prevalent. Since the re-emergence this March of Troldesh, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers.

Certain strains of ransomware such as Troldesh and GlobeImposter come equipped with lateral movement tools (such as Mimikatz), allowing malware to infect an organisation and log clean-up mechanisms to cover their tracks.

Following a surge of market interest around cryptocurrencies that has continued through 2018 and into 2019, miners have diversified and proliferated. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, allowing cybercriminals to infect computers in organisations and increase mining efforts.

Based on threat developments in 2018, organisations should essentially prepare for more sophisticated iterations of malware based on the same theme in 2019.

After years of focusing on individuals, malware authors will increasingly target enterprises and networks of computers. Lateral movement will become standard in most malware samples, either via password-grabbing utilities like Mimikatz, or by exploiting wormable vulnerabilities. In addition, the number of malicious attachments in SPAM emails will increase, particularly those written in scripting languages such as PERL or Python.

“All the world’s a stage/ And all the men and women merely players”; Shakespeare’s famous line makes us consider each person an ‘actor’ in their own right, with their own individual role to play. And when looking across the cyber threat landscape, this rings especially true – each actor has their own motivations and distinct part to play.
When the proverbial hits the fan, it’s typical for the victim – a business or government entity – to focus on the indicators of compromise (IoC) rather than what led to the attack in the first place.

Looking at IoCs is an essential part of a cyber defence strategy and can help victims identify who is targeting them. But it’s a reactive approach, which doesn’t help once your organisation has been breached.

This rear-facing view is also reflected in the cyber sensationalist news narrative. The media tend to focus on the number of attacks – a vanity metric – but rarely on its complexity, length, or who was behind it, and what their motivations were for attacking the organisation in the first place.

IoCs tend to change very quickly, the actor behind does not, nor their objectives and tactics, techniques and procedures (TTPs). For example, US-CERT’s release of the Grizzly Steppe malicious Russian activity was complex in that many of the IoCs that were provided were false positives or TOR exit nodes, making it difficult for companies to make sense of them and ingest.

As such, it’s vital that organisations look to understand the actor – their motive, opportunity and means – and not merely read into the IoCs if they are to protect themselves from potential attack.

Threat intelligence highlights IoCs around an attack, such as that the actor was using cheap outsourced labour to perpetuate the attack, was using a particular hosting platform, or shared infrastructure.

IP addresses and domain names change very quickly, but the adversary’s motive does not. Knowing this is the first step towards changing an organisations’ security stance to mitigate the threat, identifying the indicators of attack (IoAs) rather than just the IoCs. Without intelligence, this would be impossible.

The type of malicious actor organisations must deal with will differ. Some may be state-sponsored, for example, carrying out cyber espionage on behalf of a nation. Others may be hacktivists, looking to incite political change, or cyber criminals looking to make a profit.
Understanding the bigger picture beyond the impact of the attack itself is critical if the good guys are going to triumph over the bad. Intelligence plays a key role in getting to the core of that bad apple.

STIX, the standardised language to represent structured information about cyber threats, helps to store and share information on actors and TTPs. It has become the de facto standard for information sharing in cyber threat intelligence as it facilitates automation and human assisted analysis.

Finally, it’s worth remembering that intelligence is not a silver bullet. It’s a part of a wider puzzle that enterprises need to put together in order to give themselves the best chance of defence against a cyber attack.

Security needs to be seen as an architecture, embedded in the foundation of an organisation. Hygiene factors such as ongoing patch management and end-user training also need to be considered.

The human element behind an attack is often forgotten. However, analysts can create a ‘big picture’ of the lifecycle and ecosystem of hackers by adding in the more specific details.

Enterprises and governments are under a constant barrage of cyber attacks. With the threat landscape evolving and attacks becoming ever-more sophisticated, having time to stop and think about the actor behind the malicious intent may seem like a luxury.
However, businesses need to start looking at cyberattacks from the adversary’s perspective to understand what is most attractive to an attacker. Without this understanding, the problem will persist and the next newspaper headline will feature their name.

In summary, the question is not whether you will be attacked. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Comey once said:
“We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy. “

Guest-blog: David Priseman – The future of technology in home-care for the elderly

David Priseman

Technology is currently critical to home health care. Future advances in home health care technologies have the potential not only to facilitate the role of home health care within the overall health care system but also to help foster community-based independence for individuals.

Today I have the pleasure of introducing another Guest Blogger, David Priseman, who is an accomplished Executive Director. David had a career in consultancy and banking, including spells abroad with two major European banks and has worked for several years in the field of private equity and alternative finance as well as an advisor to SMEs. He has considerable board experience and currently chairs a mid-sized care home group and is a non-executive director of a small but ambitious technology company. He has a particular interest in how technology can address the challenges of the care sector, which is often slow to adopt innovation.

David is going to discuss with us today the future of technology in home-care for the elderly.

Both councils and families strive to keep the elderly living in their own home for as long as possible. Councils see a simple cost advantage in doing so, whilst families also like the idea that mum (statistically, it is usually mum) can still live at home.

However the reality of a single elderly person living at home on her own can be far from the rosy ideal. There is an alternative image of a harassed care worker rushing into an elderly person’s home, quickly heating up a tin of baked beans then 15 minutes later rushing out of the door. Yet this might be the only contact the person has with anyone until the same or a different care worker rushes by the next day.

Domiciliary care, like residential care, is difficult to provide effectively and profitably. Companies are handing back council care contracts as they cannot operate at the fee levels on offer (1). Staff recruitment and retention is a permanent challenge.

Councils are reluctant or unable to pay more than £15/hour, which is not financially viable for home-care providers, who now have to pay employees a higher minimum wage as well as their travel costs. However it can be viable at £20/hour. With care home costs around the £1,000/week level, half this amount would buy 25 hours of home-care per week. As the number of residential care beds is in slight decline whilst the number of elderly people is projected to rise steeply, this implies that the number of elderly people living at home will also rise. With this could come a significant growth in the self-payer home-care market.

People living at home are exposed to the risk of physical vulnerability, slow and inappropriate care delivery and social isolation. However the recent development of new technologies may in combination significantly improve the social and care experience for such people.

The unpredictability of the number of hours worked together with the short term notice of rotas and sudden changes in rotas are a major cause of high home-care worker turnover (2) and a headache for domiciliary care providers. However a range of competing software and apps have now been developed to mitigate (though not remove) this challenge. This can improve the efficiency of staff scheduling from a provider’s view point, addressing one of the main sources of dissatisfaction of employees whilst also introducing flexibility for the elderly resident.

Many elderly people have traditionally had a regular, perhaps weekly, phone call with their children. Some now conduct this through Sype. In addition, some families have installed a videocam or webcam in their parent’s home, usually in the kitchen or lounge/dining room, so they can see mum. This helps to maintain social contact and give reassurances about mum’s safety and wellbeing.

The development of ‘wearable technology’ should become more widespread. Currently the dominant application is for fitness monitoring during exercise, however it will increasingly move over to healthcare monitoring. This can be a watch or a monitor which is worn as an arm panel or in the future may be embedded in clothing; in all cases it measures certain of the wearer’s vital signs.
At present, these are mostly used in hospitals to reduce the requirement of nurses, of whom there is a well-documented shortage, to conduct routine patient checks. Instead, the data are transmitted to a cloud-based server and if a vital sign reading crosses a warning threshold this immediately signals an alert. In time, these devices will migrate to the residential setting.
This will speed up the awareness and treatment of a wearer’s condition. Major medical devices companies such as Medtronics and GE are active in this area, which has also seen technology start ups enter the market, such as EarlySense and Snap40. (3)

The internet of things (IoT) is rapidly increasing the number of internet-connected devices in the home. This can be used in a number of ways to improve the safety of elderly people living at home. For example, many people get up, go to the toilet, have a cup of tea and open the curtains. Sensors can detect whether or not the toilet has been flushed, the kettle boiled and the curtains opened, and if any of these things has not happened by say 9am then an alert would be triggered. (4)

One of the main problems facing the elderly living alone is loneliness and the lack of contact with others. Here, a combination of technologies is emerging to provide at least a partial solution. Awareness has recently increased of Amazon’s Alexa voice-controlled system which can search the internet, answer questions and respond to simple commands. Apple’s Siri and Microsoft’s Cortana are similar and rival devices.
Owing to improvements in voice recognition and AI, it will increasingly be possible to have an interactive ‘conversation’ with such devices. At some point, it may be possible to combine this with the face of a person on a screen or even a hologram of a person in the room to create the impression that a human is having a conversation with and maybe even developing a relationship with an intelligent machine-based ‘person’.
This idea has been explored in television and film, for example the science-fiction drama Her when a man develops a romantic relationship with his computer’s feminised operating system (5). Soon, it may become reality and even commonplace.

Finally, more than one of these technologies may combine in a way that provides care monitoring, practical assistance and companionship. Developed countries all have aging populations so the need to find solutions is urgent and many companies and universities are conducting research into this area, such as robotics with AI (6). New market opportunities are emerging to integrate and package appropriate technology solutions.

The vulnerable elderly living on their own at home have often been poorly served to date. Yet the number of such people is poised to continue to rise steeply. However a number of technologies are now being developed in parallel to tackle the problems they face. The result may be an improved care environment for the elderly at home: safer, reliable, better supported and less isolated. Such a future could be with us sooner than we think.

You can contact David Priseman on LinkedIn or by email: davidpriseman @ btconnect.com (remove spaces).

References

1. http://www.bbc.co.uk/news/uk-39321579
2. http://timewise.co.uk/wp-content/uploads/2014/02/1957-Timewise-Caring-by-Design-report-Under-200MB.pdf
3. http://www.earlysense.com/ and http://www.snap40.com/
4. https://www.ibm.com/blogs/internet-of-things/internet-caring/ and https://www.ibm.com/blogs/internet-of-things/elderly-independent-smart-home/
5. http://www.herthemovie.com/#/about
6. http://www.bbc.co.uk/news/business-39255244

Exactly what is the future in Technology?

Technology forecasting is a completely unpredictable endeavour. No one wants to be a false prophet with a prediction so immediate that it can be easily proven incorrect in short order, but long-term predictions can be even harder. And yet even though people know predictions can be a waste of time, they still want to know: What’s next? Wishy-washy tech timelines only makes prognostication more difficult, as entrepreneurs and researchers stumble around in the dense fog of developing prototypes, performing clinical trials, courting investors, and other time-consuming steps required for marketable innovation. It’s easy to hit a wall at any point in the process, causing delays or even the termination of a project.

In the year 1820, a person could expect to live less than 35 years, 94% of the global population lived in extreme poverty, and less that 20% of the population was literate. Today, human life expectancy is over 70 years, less that 10% of the global population lives in extreme poverty, and over 80% of people are literate. These improvements are due mainly to advances in technology, beginning in the industrial age and continuing today in the information age.

A very good friend of mine is a global technologist, I brought together in January a very collective group of distinguished individuals for a dinner, I named the dinner ‘the great minds dinner’ This was a great opportunity to stimulate the subject of what technology is working in the world, what is technology is emerging, what technology is not working in the world and more importantly what needs to change in order to accommodate all the prototypes of technology that appear to stay in the lab or on the shelf.

It is clear currently that thought leaders and so-called world futurists on the subject of technology can dish out some exciting and downright scary visions for the future of machines and science that either enhance or replace activities and products near and dear to us.

Being beamed from one location to another by teleportation was supposed to be right around the corner/in our lifetime/just decades away, but it hasn’t become possible yet. Inventions like the VCR that were once high tech — and now aren’t — proved challenging for some: The VCR became obsolete before many of us learned how to program one. And who knew that working with atoms and molecules would become the future of technology? The futurists, of course.

Forecasting the future of technology is for dreamers who hope to innovate better tools — and for the mainstream people who hope to benefit from the new and improved. Many inventions are born in the lab and never make it into the consumer market, while others evolve beyond the pace of putting good regulations on their use.

There are many exciting new technologies that will continue to transform the world and improve human welfare.

Here is a very interesting infographic researched by the National Academy of Sciences from their Smart Things Living Report
(click to expand in new tab):

The world around us is changing. In labs and living rooms around the world, people are creating new technologies and finding new applications for existing and emerging technologies. The products and services available to everyone thus expand exponentially every year. In the next five years, then, you can expect massive growth in what we can do.

Beyond 2018: Dr Michio Kaku on the Future in the Next 5-10-20 Years.

Irrespective of all the possible forecasting in long range planning, I personally believe there are 3 imminent areas in particular will provide important developments in the next 5 years.

1. Augmented Reality Will Explode
Technology mavens have talked for years about virtual reality and the applications available. Augmented reality is related, but allows us to lay the virtual world over the real world. Games like Pokemon Go provide examples of how this works; you use technology to “see” virtual creatures and items in real spaces.

Beyond fun and games, this technology provides a wealth of planning potential. You can drive your car, and arrows will appear on your road, guiding you to the right path. You can create visual representations of organizing tasks, building endeavors, and almost anything else that you want to see before you start working. Manuals will virtually overlay real items to be joined together – everyone will actually be able to construct an Ikea bed. The technology is here; ways to use it are just beginning to emerge.

2. Mobile Apps Will Decline
At the same time, the ubiquitous world of mobile apps will begin to slip back. The ways in which we connect to the world often require us to work through a smartphone or tablet. The mobile app ties us to devices; you have no doubt seen rooms full of people who never make eye contact, only staring at small screens. The cost of developing sophisticated apps and the marketing efforts needed to place your App on the most expensive “real estate” in the world, does not always give a return on investment.

3. The Internet of Things Will Grow Exponentially
Availability and affordability of connected devices grow each year. We connect massive data networks to our homes, vehicles, and personal health monitors already. The ability to connect more devices, appliances, and objects to these networks means companies will know more about those they serve than ever before. Almost any device with electronic components can be configured for the IoT, and in the next five years, more will.

It should be abundantly clear now why analysis of the tech trends shaping the future might seem like science fiction. But researchers from UC-Berkeley to MIT are pulling the present sometimes step by step, sometimes by leaps and bounds into the future.

The next few decades will feel this disruption, often in startling ways. Indeed, while the technical hurdles to advancing these technologies are fascinating, we see people writing about that the ethical and social dimensions of the changes they bring are the most interesting and troubling.

You can clearly see how the allied sciences and complementary developments of these trends will reshape our world, our lives, and our work. Millions will find that the skills they bring to the table simply can’t compete with smart automation. Legions of
drivers, for instance, will soon find themselves unemployable.

And as AI continues to develop in tandem with robotics, the IoT, and big data, even the engineers and scientists who now design these systems will find themselves competing with their creations.

All of these developments I have touched on in this blog will require you to examine closely not only what is possible, but how privacy laws, intellectual property issues and the corporate ecosystems interact with those possibilities. Nevertheless, I am confident that within the lives of your grandchildren, now incurable illnesses will fall to bio, nano, and neurotech. And sure that ignorance will slowly become things children learn about rather than experience first-hand.

Finally, the technology I have discussed really are the shaping things to come, the technologies that will define life for decades.

Are you ready for the future? Ready to embrace the changes that are coming?

As Albert Einstein once said:

“It has become appallingly obvious that our technology has exceeded our humanity.”