Spotlight 17 February 2016 U is for . . . understanding Cyber security comes with a language all of its own, often opaque and replete with acronyms. With some expert help, we unravel the code, from advanced persistent threat to zero days. Sign UpGet the New Statesman's Morning Call email. Sign-up A is for advanced persistent threat An APT is an attack carried out by an adversary that targets and exploits individuals instead of computers and operating systems. Its intent is to be stealthy, targeted and data-focused. Typically an APT targets individuals in an organisation. The adversary performs extensive reconnaissance and then sends a targeted piece of information such as a web-link or email to trick the user to open up vulnerabilities. From this breach, the adversary uses the compromised system as a pivot point into the organisation’s network. The trick in dealing with APTs is recognising that prevention is ideal but detection is a must. Organisations will get compromised by APTs. The goal is to minimise the frequency and impact of this by controlling where the adversary can get to in the network and how much damage it can perform. Here are things you can do to limit the impact of an APT: 1. Content-filtering and examination of behavioural anomalies. 2. Create highly segmented networks to prevent lateral moment. 3. Monitor outbound traffic for the attackers command and control channels. Eric Cole is a faculty fellow and course author at the SANS Institute. A is also for authorisation, active attack and anti-virus software B is for biometrics Biometrics refers to authentication tools and technologies such as facial recognition, fingerprinting and retina-scanning. With traditional password-based security features increasingly hacked by cyber criminals, biometrics are becoming popular as they can be a much harder target for hackers. Biometrics are more difficult to hack but should not be seen as a replacement for password technology. Whether it’s voice recognition or fingerprint technology, bio metrics do solve some of the flaws inherent in modern password systems, but they also bring a different set of challenges. For example, fingerprints can be reproduced; some prints are stronger than others; and changes in the physical appearance of the user can throw off the results in facial recognition. Used together, passwords and biometrics provide a stronger form of protection. One serves as a backup for the other, raising the barrier further for unauthorised users attempting to gain access and hack a system. For example, security tools that incorporate multi-factor authentication, including encryption, alongside biometric fingerprint technology and typical password security can ensure that devices are covered at all bases. Nicholas Banks is a vice-president of IronKey by Imation. B is also for bot, backdoor, boundary protection and BYOD C is for cloud computing As defined by Gartner, cloud computing is “a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service using internet technologies”. In other words, cloud computing enables companies to tap in to extended resources situated anywhere in the world, creating efficiencies and scale – and allowing users to pay for services as they are used. While the cloud brings a host of financial and business benefits, it also brings risks in the form of cyber theft, accidental data leaks and privacy fines. As sensitive information is of enormous value to criminals, cloud defence is imperative for businesses that hold such data. A logical starting point is to identify all cloud applications in use, classify the types of data they hold and assess the risk level of each app. This then helps firms to map the appropriate security controls to protect data, such as through encryption, tokenisation and data-loss prevention. And finally, organisations should continuously monitor activities to detect and flag up any anomalies in the use of data. Willy Leichter is the global director for cloud security at CipherCloud. C is also for critical infrastructure, cipher and cryptography D is for denial of service A denial of service (DoS) is a type of cyber attack that aims to overwhelm a website or cloud service so that it cannot function or accept legitimate requests from other internet users. To perpetrate this attack, cyber criminals will stealthily instal software, often on the PCs of unsuspecting home users, that on command can generate spurious traffic directed at the victim’s website. These botnets can include tens of thousands of PCs and are referred to as a distributed denial of service (DDoS) attack. Imagine a telephone switchboard with a total of eight available phone lines. If attackers keep calling, never giving a chance for a line to be freed, then the switchboard can never answer a legitimate call. DoS attacks are often used by groups with a grievance against a particular brand or political issue, and can be a smokescreen to confuse the target while other more sophisticated attacks take place. DoS attacks can be mitigated by countermeasures such as certain types of application traffic-management devices that can be configured to identify and discard traffic that appears to be coming from a botnet. There are also third-party services that act as a type of clearing house for web traffic that can counteract DoS attacks. Stephen Sims is a course author and senior instructor at the SANS Institute. D is also for decryption and data breach E is for encryption Encryption is at once intellectually simple and morally complex. At its most straightforward, it is the act of encoding data, turning plain text into cipher text. Only those with a key or password can decode – or decrypt – the data, meaning that, in theory at least, sensitive information can pass securely across networks and be stored safely by an individual, business or government. The strength of the encryption depends on how the technology is applied. Broadly, this happens in two ways – symmetric encryption uses the same key both to encrypt and to decrypt a message, whereas asymmetric encryption uses a different key at the beginning and end of the process. From a security point of view, encryption can be viewed as an unalloyed good thing, but there is also an ethical dimension. Should technology firms provide governments with access to encryption keys in the name of averting terrorism, for example? If they withhold those keys, are they wilfully putting national security at risk? But if they share keys, are they blatantly invading personal privacy? Jon Bernstein E is also for event and exploit F is for Flashback malware attack The conventional wisdom dictates that Apple-made devices are less prone to security breaches than Microsoft Windows equivalents. Although a quick flick through the technology press cuttings of the past two decades is likely to bear out this view, the Apple Mac operating system is not impervious to attack. The Flashback malware attack is one example of when Apple’s defences – and those of its OS X operating systems – were breached. Using a form of malware known as a Trojan Horse, it was first detected in 2011. As the term suggests, a Trojan Horse attack is based more on deception than stealth, and Flashback was initially hidden as an Adobe Flash Player plug-in before moving on to exploit vulnerabilities in the Java programming language. The malware drops a small application on to the host computer, allowing a hacker to run malicious code from a remote location. Why are such attacks effective? First, the malicious intent is hidden behind something mundane and useful, such as a software update. And second, many of those software updates are automated so the victim is a passive participant, oblivious to malicious intent. According to reports at the time, Flashback infected more than 600,000 machines. Jon Bernstein F is also for fraud and firewall G is for gateway crimes In the world of addiction prevention, the notion of a gateway drug is well understood – a relatively benign narcotic becomes a gateway to harder and more harmful alternatives. Criminality and illegality are important components in the transition. A similar theory can be applied to the criminality that surrounds computer hacking. According to Andy Archibald, head of the National Crime Agency’s cyber crime unit, digital piracy can become a gateway to more serious online crime. Speaking at the Infosecurity Europe conference in June, Archibald noted that many young people were developing sophisticated digital skills and that it was “important that they put those skills to good use and are not tempted, unwittingly, to cyber criminality”. Jon Bernstein G is also for graduated security H is for Heartbleed Heartbleed is the open-source software flaw that affected more than 60 per cent of the internet over a year ago. It allowed access to the private key used by individuals and businesses to encrypt web traffic. In particular, it allowed anyone with the right skills to retrieve data from the memory of a web server without leaving a trace. Heartbleed served as a long overdue wake-up call for the IT industry; in some IT organisations, the percentage of open-source code used is greater than 25 per cent, meaning there’s a lot of opensource code being reused by information technology programmers. While some claimed that open-source code was more secure than in-house-generated code, because millions of eyeballs were looking at it, the reality showed there were still basic flaws in popular software. OpenSSL is arguably one of the most cared-for components in the open-source community, yet that community still completely missed the zero-day vulnerability posed by Heartbleed. The moral of the Heartbleed story is that while IT may continue to rely on open-source components as it develops applications, IT personnel must check, analyse and measure those components for software quality and security risks. Lev Lesokhin is an executive vice-president at CAST Software H is also for honey pot and hot wash I is for identity management For practical purposes, an identity is a combination of username and password (you might call it a login, or account) used to access websites such as Facebook, your bank or a favourite internet shopping site. Between home and work, we have too many identities to keep track of, and most of us add new ones every week. To ease the headache of remembering many complex passwords, we use simple ones, reuse them for various accounts and never change them. This leaves us, and the companies we work for, open to cyber attacks and data breaches. Identity management generally addresses problems caused by having multiple identities. It defines methods for a user to prove who they claim to be – known as authentication – and, in a corporate environment, it ensures employees have access only to those systems, applications and accounts they need for their job, and that access is updated appropriately as roles change – referred to as authorisation. Third-party identity management software and services should provide identity and access management across systems, devices and applications, whether in the data centre, cloud or mobile devices. Bill Mann is the chief product officer at Centrify I is also for incident, information assurance, intrusion and intellectual property J is for jamming Jamming is a technique used by attackers to interrupt authorised wireless communication. Jamming techniques fall into one of three categories: 1. By flooding spectrum using a signal generator. 2. By attacking the transmission collision avoidance protocols to prevent other stations from transmitting. 3. By exploiting a vulnerability in the protocols that process transmissions. While the blocking or disrupting of the authorised transmissions may be the end goal, jamming techniques are often deployed as a smokescreen to hide other attacks. In this case, the communications being attacked are often detection or alerting capabilities. It is impossible to stop the impact of all forms of jamming because of the shared nature of all radio-spectrum communications. The best advice is to set up an alternative communication path that can be used if a device is impacted by jamming. Steve Armstrong is a certified instructor at the SANS Institute J is also for joint authorisation K is for Kim Jong-un Unwittingly or otherwise, the leader of North Korea is intimately connected to one of the biggest, most commercially embarrassing and politically contentious data breaches of all time. In November 2014, Sony Pictures Entertainment fell victim to a massive leak of sensitive information – more than 100 terabytes of data, claimed the assailants – ranging from internal emails, employee salaries and details of yet-to-be-announced movie projects. A group called the Guardians of Peace claimed responsibility and threatened further disclosures unless Sony cancelled one of its forthcoming movies. The film in question was a comedy called The Interview, about a plot to assassinate Kim Jong-un. Sony didn’t cancel and the leaks kept on coming. The United States government blamed North Korea, believing Guardians of Peace to be a proxy in an act of state-sponsored cyber crime. Samantha Power, US ambassador to the United Nations, described the Sony hack as both “absurd” and “exactly the kind of behaviour we have come to expect” from North Korea. For its part, the country continues to deny any involvement. Jon Bernstein K is also for key and key escrow L is for licensing It is one of the key weapons in the ongoing fight against hackers. The importance of licensing to businesses, software providers and intelligent device manufacturers cannot be underestimated as we usher in the Internet of Things. Tamper-resistant software licensing should help to reduce the risk of hacking and protect intellectual property, with techniques such as code obfuscation and hacker detection being implemented to help reduce piracy. The constant struggle to keep a company’s software estate correctly licensed and optimised means that firms often seek the advice of specialists who are able to help manage these security, risk and compliance issues in one fell swoop. Failure to license and manage software assets properly will leave businesses open to hefty fines from software publisher audits and invariably leaves them paying significantly more than they should for the technology they use in their business. Gareth Johnson is the CEO of Crayon L is also for the law and logic bombs M is for Melissa The Melissa virus struck in May 1999, infecting at least 100,000 computers during the first weekend of its release. Its ability to spread quickly was tied to a propagation technique that at the time was highly innovative: Melissa embedded its code inside a Microsoft Word document and emailed itself to 50 individuals from the victim’s address book. Once the recipient opened the infected attachment, Melissa would repeat the process to pursue the next set of victims. Since most security tools allowed incoming email attachments and didn’t have signatures for Melissa’s files, the virus was able to bypass many anti-virus and firewall defences. Moreover, an element of social engineering increased the likelihood that the victim would open the malicious document. Because the list of message recipients was compiled from the previous victim’s address book, the person would recognise the sender’s name and, thinking the message came from a friend or colleague, not be cautious about double-clicking the attachment. The Melissa virus demonstrated how malicious software could spread semiautonomously by means of difficult-tocontrol channels such as email and could attach itself to document files that people routinely share. Variations of these techniques are employed to this day to infect individual and corporate systems worldwide. Lenny Zeltser is a senior instructor at the SANS Institute M is also for McAfee (John), malicious code, malware and mobile N is for network resilience We all rely on network connectivity in our day-to-day lives – from the mobile networks that keep us in contact with the world to the internet, where we increasingly run our lives. Network resilience ensures that these essential services are maintained to an acceptable level whenever there is disruption. In cyber security, this is typically when the service is under attack by an unusually high level of requests, or incorrect or invalid requests. This is usually characterised by a denial of service (DoS) attack launched from a large number of compromised systems and is known as a distributed denial of service attack (DDoS). Network and service providers put in place technologies that detect this increase in requests and scrub the network to provide resilience and maintain services. They must also ensure that the applications are not vulnerable to attack. Garry Sidaway is a senior vice-president at NTT Com Security N is also for non-repudiation O is for outside threat As opposed to insider threat, this represents the majority of threats to an organisation. Insider threats typically have some level of knowledge and privilege. There are different levels of outside threat, ranging from reconnaissance attacks to determine weaknesses in the perimeter defences of an organisation, to social engineering where the outside attacker uses social networking, news articles and personal calls to gain an insight into the person or company’s defences. This knowledge is then typically used to write a specific email that contains malware (malicious software). The majority of organisations focus their attention on outside threats and put in place a range of technologies that protect the perimeter of an organisation. But with the advent of cloud computing and an increased mobile workforce, these defences are being bypassed. This is where, with the right security processes and policies, businesses can educate their workforce to help reduce the risk of outside threats. Garry Sidaway is a senior vice-president at NTT Com Security O is also for offline attack P is for password The comedian John Oliver recently observed that cyber security is “the only reason we know our mother’s maiden name”. The use of passwords to grant access to software and services online is the most common security measure we use, and the most vulnerable. To combat these vulnerabilities, many companies insist on the use of more complex passwords – longer with a mix of letters, upper and lower case, and numbers. They also insist that the password is changed at regular intervals. As more than one security expert insists, the only secure password is the one you can’t remember. However, there’s no getting away from the impact of human behaviour and the limits of memory. According to figures from the credit-checking agency Experian, we have an average of 26 online accounts at any one time. Duplicate use of passwords and scribbled reminders on Post-it notes are an inevitable consequence. While two-factor authentication can help mitigate misuse, biometrics and other forms of identity management appear to be likely rivals to the alphanumeric password. Nevertheless, no solution is entirely safe – or foolproof. Jon Bernstein P is also for passive attack, personally identifiable information and phishing Q is for quarantine Quarantine is a method of isolating a file when it is thought to have been infected with a virus. The aim is to protect other files on the same or connecting devices from the spread of the software virus. Anti-virus software and tools will quarantine a file if they are unsure of the provenance of the attack or, simply, unable to eliminate it (remember, the virus maker is always one step ahead of the virus eliminator). The quarantined file is often sent for analysis before being destroyed. This helps anti-virus software firms develop and update protocols to deal with similar attacks in the future. Jon Bernstein Q is also for quadrant and quality of service R is for risk assessment A broad set of steps that help an organisation understand the likelihood, implications and potential damage resulting from a cyber attack. Risk assessments should be carried out on a regular basis to counter threats that take advantage of large, highly dynamic and complex IT environments, new technology vulnerabilities and evolving human processes – in other words, your “attack surface”. Risk assessments are often used to support regulatory guidelines and include a broad series of activities. These can range from basic steps, such as automated vulnerability scans, to more advanced assessment methods, including replicated attacks carried out by professional penetration testers. These real-world attacks culminate in a comprehensive report of how the attack was perpetrated and the potential ensuing damage. Such exercises highlight the exposure of your detect, contain and respond capabilities missing in traditional risk assessments. Consider these questions when contemplating a risk assessment: 1. Is there a set of security policies such as employee internet and email usage that meets best-practice guidelines? 2. Is there a defined and regularly carried out process for detecting an attack or an actual breach? 3. Is there a response plan for an attack and does it actually work in practice? Panos Dimitriou is chief technology officer and co-founder of the Encode Group R is also for resilience and rogue devices S is for Snowden, Edward How’s this for an ethical dilemma? What would you do if the only way to demonstrate a breach of privacy and trust on an industrial scale was to reveal highly con- fidential data? In effect, that is the predicament Edward Snowden, a former National Security Agency contractor, faced before he leaked a raft of documents from a top-secret surveillance programme sanctioned by the US government. In early summer 2013, he shared the information with a handful of journalists. Soon stories appeared in the New York Times, the Washington Post, Germany’s Der Spiegel and the Guardian in the UK. Snowden – a traitor to some, a heroic whistleblower to others – was charged on two counts under the Espionage Act 1917, including wilful communication of classified material to unauthorised personnel. Jon Bernstein S is also for spam, spoofing and spyware T is for Target If ever there was a case of corporate nominative determinism, this was it. Think: if your company is called Target, beware attack. The US retailer with that name on its back suffered a catastrophic cyber breach in the run up to Christmas 2013. Malware placed in the retailer’s security and payments system extracted the names, addresses, phone numbers and email addresses of 70 million customers and obtained credit-card details of a further 30 million. Reputational and financial damage followed. The attack had a human cost too: chief executive and chairman Gregg Steinhafel and chief information officer Beth Jacob both lost their jobs. The winners? The hackers who reportedly sold between one to three million of the credit-card numbers for $54m; and the technology suppliers who benefited from Target’s subsequent multimilliondollar investment in cyber security. Jon Bernstein T is also for threat and Trojan Horse U is for user You may not realise it, but you are a target. If you have an email address, a mobile device, a computer or any online accounts, cyber criminals are targeting you. Fortunately, you can protect yourself and your family by taking some simple steps. 1. Use common sense. If you receive an email, message or phone call that seems odd, suspicious or too good to be true, it may be an attack. 2. Use strong passwords to secure your online accounts and make sure you use a different password for each account. Can’t remember all your passwords? Not a problem. Consider using a password manager. Finally, use twostep verification for all of your accounts whenever possible; it’s the most secure step you can take to secure an account. 3. Protect your mobile devices with a strong PIN or pass code, or use the fingerprint authentication. That way, if it’s lost or stolen, no one can access your photos, data or apps. 4. Keep your computers and mobile devices updated and current. Lance Spitzner is an instructor at the SANS Institute U is also for unauthorised access V is for verification Online verification is established through cryptographic keys and digital certifi- cates, which act as the foundation of all cyber security. It is a critical element in establishing online trust for secure communications, commerce, computing and mobility. A certificate is a digital form of identification. Like a passport or other user identification, digital certificates provide generally recognised proof of identity and are intended to verify and secure data between users, systems and applications and devices. Digital certificates rely on public key cryptography for authentication. When a certification authority issues a digital certificate, it is signed with a private key. In order to verify the authenticity of a digital certificate, the user can obtain the public key and use it against the certificate to determine if it was signed by the certification authority. Unfortunately, even this verification process can be subverted. Cyber criminals are able to compromise keys and certificates that are not properly protected to get around security controls, hiding in your system, monitoring what you do online and compromising personal data. Kevin Bocek is a vice-president at Venafi V is also for vulnerability and virus W is for worm The one characteristic shared by all computer worms is the capability to replicate. Whereas a conventional computer virus will attach itself to file or a software program, a worm will commonly use failings in the computer security to gain access and then spread itself across the network without human intervention. Some worms have a malicious payload attached that might delete or corrupt files, for example. Others do not. Nevertheless, the simple act of replication at speed can cause significant disruption. By consuming sufficient system memory or network bandwidth, it can degrade – or stop – web and network server or standalone computer access. An example of a payload-less worm was MyDoom that hit Microsoft Windows PCs in 2004. It became the fastest-spreading email worm to date and caused significant disruption. Jon Bernstein W is also for white team and wifi X is for X-rated Beware dark recesses of the web. That seemed to be the verdict of researcher Conrad Longmore, who analysed diagnostic data from Google and concluded that many popular pornography websites are infected with multiple instances of malware. Longmore told the BBC in 2013 that the root of the malicious files was some of the adverts featured on these sites. “We call these malicious advertisements ‘malvertising’,” he said. The website owners disputed the findings. Jon Bernstein X is also for X.509 Public Key Certificate Y is for Generation Y The term Generation Y applies to those who were born after 1980 and were raised in a world of technology. As a result they are more tech-savvy and knowledgeable than previous generations. Generation Y employees are more aware of the cyber risks posed by new social, mobile and cloud technologies than older, probably management-level colleagues. According to a recent Blue Coat survey of the online behaviour of UK employees, 62 per cent of 18-to-24-year-olds take effective precautions against unauthorised access to their social media data on mobile apps. They routinely check the identities of strangers before connecting with them, according to the survey results. By contrast, only 33 per cent of 45-to-54- year-olds check requests before accepting invitations to connect. Christophe Birkeland is chief technical officer of malware analytics at Blue Coat Y is also for you Z is for zero day A zero-day vulnerability is a previously undisclosed and exploitable weakness in a computer application for which no security patches are publicly available. The term refers to how many days the vendor of the compromised software has known about the vulnerability. Zero-day attacks or zero-day malwares are computer programs developed to exploit this. Best practice is to disclose new vulnerabilities responsibly and confidentially, by sending information about vulnerable software to the party responsible for its creation so fixes can be made available before it is disclosed to the public. However, there are individuals who identify and use zero day for financial, political or social gains. These agents include black-hat hackers, criminals and private companies who research, develop and sell zero-day vulnerabilities. Some government agencies exploit zero day as part of their attempts to disrupt, degrade or disable a rival government’s operations. A real-life use of a zero-day vulnerability was Stuxnet in 2010, which disabled uranium enrichment facilities in Iran. Christophe Birkeland Z is also for zombie › The Returning Officer: Hastings II Jon Bernstein, former deputy editor of New Statesman, is a digital strategist and editor. He tweets @Jon_Bernstein. Subscribe For more great writing from our award-winning journalists subscribe for just £1 per month!