Earlier this week, we covered the first and second days of Infosecurity Europe 2016. We now present our final day’s coverage of this year’s Infosecurity Europe conference.
The New Era in Cybersecurity Legislation: Learning from the German Experience
Speaker: Rainer Rehm, Chapter President, (ISC)2 Chapter Germany
With the new General Data Protection Regulation (GDPR) law coming in to place, I was really interested to hear about how Germany is approaching IT-SIG, the IT security law Germany implemented in July 2015 which requires all ISPs to implement minimum security standards or face a series of fines.
Rainer Rehm started this session off by talking about what IT-SIG is and how it emphasizes security for national critical infrastructure. The law breaks down the critical infrastructure vertical into two baskets. The first basket combines telecommunications, energy/gas, water, and food, whereas the second basket focuses on finance, transport, and health.
He then detailed the intention behind the law and how it’s designed to help improve organizations’ resilience when it comes to critical infrastructure.
Rehm was careful to point out, however, that there a lot of drawbacks. For instance, the law is designed to be a reactive measure and not a preventative measure. There is also no mention of specific precautions or awareness training.
With that being said, IT-SIG is similar to the GDPR in some respects, such as in terms of fines. Rehm stated that fines will now increase and that organizations could be fined up to €20 million or 4% of total annual worldwide turnover, whichever is greater. The same applies for the GDPR.
Rehm also pointed out that the new law will affect some more than others. Some verticals, for example, already have regulations in place that are similar, whereas others like food don’t. However, lots of organizations are unaware if they will be affected, so they are still unsure how they need to prepare.
So how do these kinds of companies get ready?
He brought up state of the art technology, but as Rehm was careful to highlight, there is no clear definition of what is classified as “state of the art” by regulators. That could very well become an issue for some companies. He also mentioned other points such as being audited every two years and how reporting methods will change in terms of timing and efficiency.
Rehm was clear in stating that good intentions motivate the changes behind the GDPR and IT-SIG, but he said both will likely need improving with the help of the industry.
With IT-SIG coming into effect in May 2018, the same time as the GDPR, there is still lots to do. Fortunately, Rehm provided some guidance to those who are affected.
Overall, Rehm presented a very interesting talk and offered great insights into how different nations are tackling the growth of security threats worldwide.
How to Minimize Cybersecurity Exposure Before, During and After an Emergency
Speaker: Kevin Flynn, Director of Products, Blue Coat Systems
What happens to an organization’s cyber security when disaster strikes? That question doesn’t enter into the minds of most companies, so this talk by Kevin Flynn on how enterprises can prepare their cyber security infrastructure in case of an emergency was really fascinating.
Flynn opened his talk by highlighting four points organizations need to have in place in order to be prepared.
- Measure a baseline to monitor what is happening pre-emergency.
- Make a plan.
- Deploy a plan.
- Review and make changes to that plan, when needed.
He gave us a recent example to highlight the importance of developing a disaster recovery plan. In January 2006, a flood hit a Vodafone data center in Leeds. First responders and employees at the scene didn’t think about security, mainly due to the fact that security slows down a response such as by requiring defenders to get in to the mind of an adversary.
Like previously stated, when there is a crisis, security isn’t important to most, which makes a disaster a perfect time to strike for attackers.
Another example given by Flynn was the unrest in Ferguson, Missouri following the fatal shooting of Michael Brown by police officer Darren Wilson. The city police department was busy responding to the ongoing riots and protests. This provided a perfect cover for someone to launch a distributed denial-of-service (DDoS) attack against the police and use it to take the department’s website and emails offline.
Clearly, without a backup plan in place, incidents like the one that occurred in Ferguson will make a sensitive situation even more difficult to control.
Flynn then brought up the following question: once an emergency has taken place, what questions do you need to ask and how do you respond? He mentioned several points, including how organizations need to consider which employees have access to which types of data.
Also, another interesting piece of advice Flynn gave us related to awareness and bandwidth management. When a disaster strikes, for example, organizations don’t need folks surfing the web looking at personal Facebook accounts. They need to manage their bandwidth, so they should set up some restrictions. However, to not burden the help desk with unnecessary service requests, companies should inform users that there is an emergency via temporary redirects or similar methods.
Finally, Flynn emphasized that organizations need to secure their online resources, including their websites and social media channels. Doing so not only improves customer and user awareness following a disaster, but it can also help prevent a disaster from striking in the first place.
To illustrate, Flynn used the example of when “Syrian hackers” claimed to have hacked the Associated Press’s Twitter account. Those responsible for the intrusion tweeted out that there had been two explosions at the White House and that President Obama had been injured. Once reported, the U.S. stock market plummeted by $136 billion!
Flynn’s presentation was another very interesting talk at Infosecurity Europe 2016. It was great to get some insight into what needs to be done to ensure businesses can minimize the impact of a disaster and recover in the quickest and safest way possible.
Data Breach Survivor: Real World Tips, Tricks and Advice
Speaker: Paul Edon, Director of Internal Services, Tripwire
As we are now hearing about data breaches on a near-daily basis, I was really interested to hear Paul Edon’s thoughts on how to prepare for and recover from a breach.
Edon started with a quote from former FBI Director Robert Mueller that folks are finding more and more difficult to disagree with:
“I am convinced that that there are only two types of companies: Those that have been hacked and those that will be.”
What was once an occasional security nightmare for a CISO has now become a regular occurrence. Not only that, how can companies react to a breach when most don’t know they have been infiltrated? Those that take security seriously might be able to detect an intrusion in a short period of time, but those that don’t might not find out until weeks or even months later.
Edon then went on the empathize three points organizations must consider to successfully address the threat of a breach.
- People – Invest in training in all areas of the business. Everyone needs to know the basics (at the very least) to not only help prevent some of the most common attacks, such as phishing, but to also identify unusual activity on corporate systems. If a network is running slow, companies need to figure out why. They can do so by educating their employees to find the answers for them.
- Process – Develop and maintain a business risk profile. As technology continues to evolve at a rapid rate, it’s vital for organizations to keep policies up-to-date. For example, if a company’s system has changed, its policies may become obsolete. It’s therefore important to ensure that the right people are reviewing those policies on a regular basis.
- Technology – Using just an anti-virus solution won’t keep an organization safe, but having it as part of a defense arsenal will help. Organizations need to keep defense-in-depth in mind and have the right tools in place if they are to be successful.
Having the right people, processes, and technology in place is helpful, but it’s ultimately not enough. As the system is constantly changing, organizations need to also conduct security awareness training, review their processes on an ongoing basis, and update their technology to have a well-oiled machine.
Edon then went on to talk about what happens when an organization does get hit. The first thing is to ask the right questions.
Using his own experiences with customers, he offered a range of tips. Initially, he recommended that organizations take a step back. There is no need to have a knee-jerk reaction to a breach situation. Companies should carefully assess what has happened, understand it, and then prioritize they you are going to do.
Next, Edon spoke about the importance of developing a baseline. Specifically, he recommended that companies collect data before an attack so that they can review the systems and identify the impact.
Working with PR and the legal department prior to an incident is also extremely important. When a breach occurs, companies need to be able to inform the right people in the correct manner. Failing to do so could have a huge negative effect on the business and its customers.
Edon finished on a strong point. Once all is over, organizations shouldn’t just rest on their laurels. They should review the whole system. If things need changing, they should identify them immediately and fix it. If they wait, they may find they never fixed all the issues they discovered in the breach recovery report.
Edon provided some fascinating insights regarding what goes into becoming a data breach survivor with plenty of clear and concise advice that all companies will surely benefit from.
We hope you enjoyed our coverage of this year’s Infosecurity Europe conference. For a look back at all the exciting things Tripwire did at Infosecurity Europe 2016, please click here.
We’ll see you all at next year’s conference!