Ciso Mag July 2017

AD_Layout 1 7/10/2017 1:29 PM Page 2
AD_Layout 1 7/10/2017 1:29 PM Page 3

Page 04_Layout 1 7/10/2017 1:26 PM Page 4
INDEX
08 BUZZ
Automotive Cybersecurity: A New Market
with a Distinct Challenge
14 IN THE SPOTLIGHT
An Interview with Manish Tiwari
20 INSIGHT 14
GDPR: Whats in Store for Businesses
24 COVER STORY
Securing Smart Cities
30 TABLE TALK
Few Minutes with Heath Renfrow
36 IN THE HOTSEAT
High-Profile Appointments in the
Cybersecurity World
39 IN THE NEWS
Top Stories Related to Cybersecurity
46 EVENT FOCUS
A Curtain Raiser to Hacker Halted
49 KICK-STARTERS
Startups making waves in the 24
Cybersecurity World
54 KNOWLEDGE HUB
Demystifying Dark Web: An
Organizational Point of View
57 VIEWPOINT
Trust the Cloud and Carry Your Umbrella
60 PROFILE
A Peak into Ixias Offerings
62 COLLABORATIONS
Famous Collaborations in the
Cybersecurity World
66 TECH TALK
Bug Bountry Programs: Closing Security
Gaps 20 54
CISO MAG | July 2017
Page 05_Layout 1 7/10/2017 6:16 PM Page 5
EDITORS
NOTE
With the fabric of our society

now defined by the
technology we use, the issue
of cybersecurity has become
more important than ever. Volume 1 | Issue 1 | July 2017
Time and again, major
cybersecurity breaches have
shaken up the world, serving
Editorial
as wake-up calls for
International Editor
authorities and individuals
Amber Pedroncelli
to initiate measures to
amber.williams@eccouncil.org
improve the security and
stability of the cyberspace. Senior Editor
Rahul Arora
The threats we foresee are
rahul.arora@eccouncil.org
not expected to cease and
one can only expect to Feature Writer
uncover more calculated Augustin Kurian
attacks on a wider scale. Therefore, there is a continuous need for augustin.k@eccouncil.org
providing unbiased and useful information to the professionals working
to secure critical sectors. To provide cybersecurity experts key information
and analysis to tackle critical security challenges, we have CISO MAG, an
Design
information security magazine for best practices, trends, and news. Design Head and Visualizer
MSH Rabbani
This issues cover story features smart cities, a topic that has been gaining rabbani@eccouncil.org
attention around the world. The story discusses the importance of the
security of smart cities, and explores the impending threats inherent to Designer
added technology and the need for standardization. Surendra Bitti
surendra@eccouncil.org
Move on to the Buzz section of this issue where we discuss vehicle
hacking. The era of connected cars is upon us. Modern day cars are Management
supercomputers with accelerator pedals, transmission, and brakes that Business Head
can be connected to your phones. Some phone apps can even summon Apoorba Kumar*
cars from your garage. But phones and computers can be hacked, the cars apoorba@eccouncil.org
are not any less vulnerable as well.
Sales Manager
In the Under the Spotlight section, we interview Manish Tiwari, CISO of Basant Das
Microsoft India, who is a result-driven cybersecurity professional basant.das@eccouncil.org
responsible for various IT security initiatives in the Indian Navy and later
in Microsoft India.
Technology
The magazine comprises a host of other informative features that look Chief Information Security Ocer
cybersecurity from an all-encompassing perspectiveregulations, Subrahmanya Gupta Boda
workforce development, partnerships, and much more. gupta.boda@eccouncil.org
Tell us what you think of this issue. If you have any suggestions,
Director of Technology
comments, or queries, please reach us at editorial@cisomag.com.
Raj Kumar Vishwakarma
Jay Bavisi rajkumar@eccouncil.org
Editor-in-Chief
jay@eccouncil.org Information Security Specialist
Manoj Kakara
manoj@eccouncil.org
* Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd. and printed at G97 Network Pvt. Ltd., Editor: Rahul Arora.
The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not necessarily those of the
publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be appropriate for the readers particular
circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored in a retrieval system, or transmitted in any form without the
permission of the publishers in writing.
Page 06-07_Layout 1 7/10/2017 12:02 PM Page 6
ADVISORY
BOARD
CISO MAG is honored to have an Advisory Board that

comprises some of the foremost innovators and thought
leaders in the cybersecurity space. The board members
provide us the strategic advice regarding the magazine
general direction, including shaping our editorial content,
identifying important topics and special issues,
moderating discussions, and helping to create initiatives
that benefit the industry at large.
Curtis is a proven technologist with over 25 years of experience in cybersecurity/defense,

continuity/recovery of operations, and information governance. He is an expert in designing and
implementing strategic and tactical information security architectures and best practices for
organizations with a wide variety of risk postures in complex and distributed environments.
Curtis has served with distinction, two sitting presidents of the United States, two chairmen of
the joint chiefs of staff and the chief justice of the United States.
Curtis Levinson
Private Consultant and United States Cyber Defense Advisor to NATO
The former CISO of Cox Communications, VeriSign, and SecureIT, Phil helped transform security
at GE, Alcatel, Scientific-Atlanta, Cisco, and Dell. He has influenced the privacy, cybersecurity,
and IT industries for almost 30 years through his leadership and influence in policy/standards
bodies and industry think tanks. He has shaped payments security on the PCI Security Standards
Council Board of Advisors and FS-ISAC PPISC Steering Committee.
Phil Agcaoili
Senior Vice President, U.S. Bank, and Chief Information Security Officer, Elavon
Selim has over 20 years of computer and financial industry experience, and was named by the IT
Security Magazine as one of the "Top 59 Most Influential Security Experts. He has published over
30 journal and conference papers and co-authored the book Security for Mobile Networks and
Platforms. Selim has over 100 patents filed, and has previously worked with Visa as vice
president of Global Information Security and headed Strategic Planning for eCommerce, Security,
Manageability, Content Protection, Enterprise & Virtualization for Intel.
Selim Aissi
Chief Information Security Officer, Ellie Mae

ADVISORY
BOARD
Betty has over 35 years of experience in information technology (IT), networks, application
development, information security, cybersecurity, privacy, cloud services, risk management,
compliance, certification and accreditation, information assurance, and other security or privacy
assessments. A subject matter expert in security authorization and regulatory compliance
including NIST, FedRAMP, and international regulations, her certifications include CISSP, ISSMP,
CAP, CIPP/US, CIPP/G, NSA-IAM, NSA-IEM, C|CISO, and CIPM. She designed and implemented the
first cybercast from the White House and led the team that won the Hammer Award for
Excellence from Vice President Al Gore.
Betty Lambuth
Private Consultant
Tammy not only secures and protects Venafi, she also collaborates globally to help CIOs and
CISOs fortify their strategies to defend against increasingly complex and damaging cyberattacks
against the trust established by cryptographic keys and digital certificates. Tammys professional
experience, leadership, and recognized domain expertise as the CISO of Global 250 companies
will help fellow CISOs defend their organizations. A veteran in information technology, she is
noted by her peers to be a results-driven and passionate executive leader.
Tammy Moskites
Chief Information Officer and Chief Information Security Officer, Venafi
Prashant is an internationally renowned cyber law and cybersecurity expert, author and a
lawyer based out of Mumbai, India. He has been awarded as the Cyber Security Lawyer of the
Year-India by Financial Monthly magazine of UK (2016). He has also been awarded as Cyber
Security & Cyber Law Lawyer of the Year 2014 by Indian National Bar Association.
Prashant Mali
International Cyber Law and Cybersecurity Expert
Magda calls herself a cyber feminist and a cyber evangelist. She is involved in public speaking
and international conferences as a keynote speaker where she addresses industries' challenges
with cybersecurity as well as diversity in the sector and the presence of women. In addition of
managing her business, she acts as chief information security officer for various companies. She
speaks five languages fluently, and has a PhD in Telecommunication Engineering with a
subsequent specialization in cybersecurity with a CISSP certification.
Magda Chelly
Managing Director, Responsible Cyber Pte
Sunil has over 22 years of leadership experience with renowned companies in Banking, Telecom,
ITES and Manufacturing in Middle East, United States and India. He has participated in various
advisory forums globally, and has published and presented several articles related to information
assurance. Two of his patent application on information security is currently in consideration.
Sunil Varkey
Chief Information Security Officer, Wipro Technologies

BUZZ
AUTOMOTIVE
CYBERSECURITY:
A NEW MARKET WITH
A DISTINCT CHALLENGE
Augustin Kurian

BUZZ
I
nnovation in the automotive This new technology has also opened
industry has led to a scenario a floodgate of security threats. While
where a car being manual you might be behind the wheel,
may simply mean it has a potentially vulnerable software
steering wheel. Once control your cars functions. There is
composed of only almost nothing in your car that is not
mechanical and electrical mediated by a computer, said
parts, cars have now turned into Professor Stefan Savage, Department
complex systems that comprise of Computer Science, UC San Diego,
sensors, microprocessors, software, while speaking to Motherboard
and much more. magazine for a short documentary
on car hacking.
The proliferation of autonomous
vehicles means that microprocessors Fear of car hacking has not yet
and sensors will soon take a much penetrated the general populations
more active role in driving cars. psyche, as demonstrated by a 2016
However, even before self-driving Kelley Blue Book survey of drivers.
cars become commonplace, modern The results of the survey show that
cars are already vulnerable to among its sample size, very few
hackers via in-car technology like Wi- drivers fear car hacking and most
Fi. These connected cars are consider connected apps and Wi-Fi
becoming standard. In 2015, there networks nice features to have.
were around 6.5 million connected
Worries over security have also not
cars on the road and by 2017, the
slowed down the pace at which
figure almost doubled to 12.5 million.
connectivity features continue to be 9
According to estimates, there will be
rolled out due to the real benefits all
as many as a quarter billion
this technology can bring with it.
connected vehicles on the road by
Connectivity technologies in
2020.
commercial vehicles not only
improve efficiency and streamline
logistics, they also lower occurrences
There is almost
nothing in your car that
is not mediated by a
computer, said
Professor Stefan
Savage, Department of
Computer Science, UC
San Diego, while
speaking to
Motherboard magazine
for a short documentary
on car hacking.

BUZZ
of road accidents and reduce researchers Charlie Miller and Chris tree. The media has largely covered
preventive maintenance costs. Valasek of Wired demonstrated a this idea as a fringe conspiracy
Incorporating connectivity wireless hack on Jeep Grand theory, but many of the details are
technologies can also reduce 62 Cherokee, taking over the controls of consistent with how a hacked car
percent of all trucking costs, it is the dashboard, steering wheel, could behave.
estimated. powertrain, and even the brakes.
Recently, WikiLeaks released
REGULATORS, INDUSTRY
A REAL THREAT documents blowing a whistle on the RESPOND
Vehicle hacking isnt just a theory or CIA suggesting journalist Michael Autonomous vehicles are no longer a
seen only in Hollywood movies. In Hastingss fatal car crash was pipe dream and all vehicles soon will
2016, Nissan had to shut down its triggered by a car hack. In come with smartphone connectivity
proprietary app NissanConnected EV 2013, Hastings died embedded into their systems.
for its Leaf line-up after it was found after the car he Fortunately, all manufacturers
that hackers could access the cars was driving prioritize the satisfaction
climate control and other battery abruptly and safety of their
operated features to drain the sped up customers. The
batteries. Also, in 2015, automaker and burgeoning field of
Fiat Chrysler had to issue a recall for crashed automotive
almost 1.4 million vehicles after into a cybersecurity will grow
10

BUZZ
TAKEAWAYS FOR CISOs

In a time where cars are predicted to generate 25 gigabytes of data per hour, enterprises may need to consider
connected cars as an insider threat due to their vulnerability to data theft. Cars come with connected features
to pair your personal device for several purposes like hands-free driving, access to infotainment, GPS, and
maps. Pairing devices like smartphones that carry sensitive data to a cars network may pose a serious threat.
The data under threat can be personal or belong to an enterprise. And many times, information security heads
are oblivious to the number of cloud apps in employees device. In fact, according to a Symantec report, when
most CISO/CIOs assumed employees in their organizations use up to 40 cloud apps on their devices
(smartphones, tablets, laptops), in reality the number neared 1,000. The volume of exposed data is massive.
CISOs need to be more vigilant, else, they may see a shift in ways data breaches occur.
To ensure the prevention of data theft from insider threats, organizations can do the following:
Train employees on safe pairing techniques of devices and cars
Encourage employees to charge mobile devices through cigarette lighter and not the USB
Encourage employees to implement various security measures like installing firewall, antivirus and
encryption software on employees' devices. Company-owned devices should be issued with mobile device
management (MDM) software.
In case the device is lost, there should be a way to locate and lock the device, and if necessary, the device
should be implanted with a kill switch.
11
in partnership with regulatory and Safety Administration create take measures to detect anomalous
compliance bodies, original appropriate cybersecurity standards codes.
equipment manufacturers (OEMs), for vehicles. Other nodal agencies
The European Union Agency for
technology companies, insurance mentioned in the bill were the
Network and Information Security
companies, and other stakeholders Department of Defense, National
(ENISA) has also envisaged similar
pressing for safe and secure Institutes of Standards and
scenarios and come up with a report
architecture. Connected and Technology, and the Federal Trade
on Cyber Security Resilience of
autonomous automobiles are Commission, among others. The bill
Smart Cars.
dynamic threat environments and stressed the importance of isolation
numerous patrons are collaborating measures to separate critical
with groups like the newly formed software from trivial programs and
GROWING TECH, BROADER
Auto-ISAC, to sketch guidelines, SAFETY NET
standardizations, and best practices. Security cannot be an afterthought
These bodies endorse integration of The European Union it must be integral throughout the
cybersecurity into the entire lifecycle Agency for Network and design process. Automotive
of a vehicle from concept to cybersecurity is a new emerging
production, maintenance, and Information Security market. According to report titled
decommission. (ENISA) has also Automotive Cyber Security - Global
Forecast to 2021, the global
Even governments are taking notice envisaged similar automotive cybersecurity market is
of this. Earlier this January, a projected to grow at a compound
bipartisan bill titled Security and scenarios and come up annual growth rate (CAGR) of 13.2
Privacy of Your (SPY) Car Study of with a report on Cyber percent by 2021, to reach a market
2017 was introduced in the United size of $31.8 million by 2021.
States focusing on the cybersecurity Security Resilience of
of automobiles. The bill mandated Smart Cars. A sizeable number of private firms
that the National Highway Traffic are also venturing into automotive

BUZZ
12
cybersecurity. Israeli startup and cars are no longer basic modes of leverage these systems to offer free
Karamba Security unveiled security transportation. Connected cars could rides to stores to retain customer
systems for connected cars that be a new and refreshing use of big loyalty.
prevent hackers from running any data and a business model worth
The initial architecture of car
malicious code on the car system like leveraging as insights from these
networks is now almost 30 years old
lane assist, infotainment, and GPS data can be monetized. A McKinsey
and was devised for various reasons,
tracking. Another startup working in report states that, Once autonomous
but security was not one of them.
the same field is Argus Cyber driving and car connectivity
The systems were designed without
Security. Argus helps car combine, customers might be offered
an inkling that vehicles could be
manufacturers, their Tier 1 suppliers, mobility services in exchange for
hacked, but its not too late. Its time
and aftermarket connectivity watching targeted advertisements,
for cybersecurity professionals to
providers protect connected cars and providing product feedback, or
step in and do what they do best
commercial vehicles from hacking. making purchases while in the car.
clean up the tech to avert disaster.
Businesses in the future might also
This is the Internet of Things (IoT) era

AD_Layout 1 7/10/2017 1:31 PM Page 13
UNDER THE
SPOTLIGHT
14
MANISH TIWARI
CISO, Microsoft India
A result-driven cybersecurity professional responsible for various
IT security initiatives in the Indian Navy, Manish Tiwari dons many
hats. He is currently working as the Chief (Information) Security
Officer at Microsoft India and has a strong foundation in
information security management. In an exclusive interview with
CISO MAG, Manish talks about managing IT risks efficiently while
covering aspects such as the evolution of the CISO role, the
disconnect between CIOs and CISOs, and the shortage of skills in
information security.
Rahul Arora

UNDER THE
SPOTLIGHT
15

UNDER THE
SPOTLIGHT
You have had such an illustrious

career with the Indian Defense
Forces. How is working with a
corporation like Microsoft
different from working for the
Since I work in almost all the sectors, I do
government? come across many scenarios where I see a
I dont see much difference between disconnect between the CIOs and the CISOs.
the two; I think work is work.
However, every organization is Let us try to understand the root cause of the
different in structure and culture.
Working in the government sector problem. Typically, the role of a CIO is to
and a corporation is a little different manage and improve the IT infrastructure of
in that sense. No matter which
organization you work with, you an organization. A CISO is in many ways
have to uphold the values of the
company and understand its responsible for identifying, monitoring, and
philosophy as well as its goals. My resolving some of the security issues.
mantra has always been
professionalism, hard work, honesty,

and perseverance.
During the course of your

16 illustrious career, you must have
of a CISO evolved in the last five disconnect between CIOs and
handled a number of crises.
years? CISOs. What makes you say that?
Which situation really tested
The statement is very apt. As far as It was not a blanket statement for
you to your limits? Do you taking the blame is concerned, as a the industry. Since I work in almost
remember your first challenge team, you take the good and bad as it all the sectors, I do come across many
when it came to cybersecurity? comes along. To answer your other scenarios where I see a disconnect
If you are a veteran of 28 years in an question, I dont think it will be between the CIOs and the CISOs. Let
industry, it is impossible for you to correct to describe the evolution of us try to understand the root cause of
grow without handling crises. CISOs in the last five years. I think the the problem. Typically, the role of a
Problems and challenges are part of role has evolved over the last 20 CIO is to manage and improve the IT
your professional life. It does not years. In 1990s, people started using infrastructure of an organization. A
matter whether you are in the armed computers frequently. The Internet CISO is in many ways responsible for
forces or corporate, you have to take was seen as an amazing productivity identifying, monitoring, and
those challenges head-on and tool and a platform to connect people resolving some of the security issues.
convert them into opportunities. across the globe. What it also meant The process of carrying out an IT
That is how I look at it. I do not want that information in your repository assessment test or IT risk
to single out one specific instance could be at risk too. The loss or management falls primarily under
because I have had a very diverse tampering of information could lead the CISO.
career. to a personal loss or the leakage of
It is important to find the right
important or sensitive data about a
balance to meet business and
An information technology product, which could result in a loss
cybersecurity requirements. There
journalist once said that the job of an image or brand. I think that is
can be an end risk, therefore, some
when the evolution of the CISO really
of the CSO or CISO is part additional control or processes need
started.
diplomat, part technocrat, part to be applied. So, at times I do see a
salesperson, and part scapegoat. disconnect in that regard, especially
In one of the conferences you in Indian banks. We are already
Do you concur? How has the role attended, you said that there is a

UNDER THE
SPOTLIGHT
seeing that information technology strategize security? How do you security industry at a later part of
is converging and penetrating into optimally utilize limited resources to their careers probably five to six
the business operations, making IT select and apply appropriate years into their profession, if not
security an integral aspect of the controls? An IT risk assessment is a later. That is our limitation. However,
business. In my opinion, all these proactive exercise that allows you to many in the current generation have
aspects need to be under one identify the gaps. It also helps us now taken interest in the subject
umbrella. understand issues, how they need to from their school days. If someone
be addressed using a combination of who has aptitude and interest starts
I heard you saying in one of your people, process and technology, and taking interest in information
keynotes that most companies how to balance that with business security at an early stage, he/she can
requirements. It also helps you tackle scale newer heights. Cybersecurity is
either dont go through an IT risk
risks, identify the residual risks, and something that requires a
assessment process or dont do find ways to combat them. IT risk tremendous amount of aptitude.
it properly. Do you think assessments must be done on a Training and certifications can help,
cybersecurity is taken lightly routine basis; they must be an but at the end of the day, you need
overall? exercise for every six months at least. the aptitude. In fact, many basic
There was a report from KPMG in skills, such as vulnerability
2015, which stated that almost 74% Do you think there is skill assessment, application security
of the organizations in India had not shortage in the information testing, are self-taught. Once you get
undergone an IT risk assessment. the basics right, you can start
security industry?
That is very alarming because it is building your expertise. Fortunately,
Yes, there is a shortage. What we things are changing for good. I am
important to carry out an analysis. If have been noticing is that the
you do not know what is wrong, or optimistic about it and I hope people
professionals are getting into the IT will take up IT security at early stages
what are the gaps then how do you
of their careers. 17

What would be your advice to a
budding information security
professional? What can he/she
If someone who has aptitude and interest learn from Manish Tiwari?
After spending a number of years in
starts taking interest in information security this profession, I can say with
at an early stage, he/she can scale newer certainty that this generation is at
benefit as compared to the earlier
heights. Cybersecurity is something that generations. We did not have a
course on computer science 30 years
requires a tremendous amount of aptitude. ago, but now the youngsters can
Training and certifications can help, but at the choose from a host of options.
Therefore, they now have the option
end of the day, you need the aptitude. In fact, to build a foundation. They have to
follow their heart and mind. This is
many basic skills, such as vulnerability true for every profession. Without
assessment, application security testing, are your heart in the job, it is very
difficult to have the fire in your belly
self-taught. Once you get the basics right, you and push yourself beyond the limits.
You should be able to spend time
can start building your expertise. understanding the career path. Do
your research. Cybersecurity is a very
rewarding field. I encourage
youngsters to take it up and be

passionate about it.

AD_Layout 1 7/10/2017 1:34 PM Page 18
AD_Layout 1 7/10/2017 1:34 PM Page 19
INSIGHT
20
GENERAL DATA
PROTECTION REGULATION:
WHAT'S IN STORE FOR BUSINESSES?
Raymond Teo, Senior Vice President, Business Development, APAC, NTT Security

INSIGHT
I
n an uncertain world, one worldwide annual turnover these minimize data to reduce risk.
thing international potentially staggering numbers have Organizations are also actively
organizations can be sure a purpose: to put privacy and data revising processes for data storage
about is the need to mark security on the boardroom agenda by and perhaps most challengingly
May 25, 2018, in their bringing it in line with the highest how access to personal data is
calendars. Why? Because on sanctions for regulatory non- controlled and restricted.
that date, the new General compliance such as anti-bribery
However, as we embrace the
Data Protection Regulation will come and anti-trust laws.
commercial opportunities of the
into effect. This will impact every
This article aims to highlight the digital world, should we allow GDPR
organization in the world that
areas of GDPR that international to be a constraint? Or will consumer
collects or retains personal
businesses need to consider, and the demand for new and innovative
identifiable data from any European
practical steps they can take to global services not be matched by an
individual.
ensure that they are ready for the expectation that their personal
Four years in the making, this 2018 deadline. information is protected? Not only
European data protection initiative does much of the directive build on
aims to harmonize the fragmented GDPR: A FRAMEWORK FOR existing EU legislations, it also aligns
data privacy framework across the A DIGITAL WORLD with the direction of travel of other
European Economic Area (EEA), and In seeking to transform data jurisdictions. While differences exist
ensure that fundamental rights are protection culture as well as practice, between countries in their approach
protected in todays digital economy. GDPR has bold ambitions. It and the level of legislative
Legislators believed that an increase encourages organizations to make development, there are signs of
in legal certainty would both reduce privacy and data protection core upward convergence towards
compliance costs and encourage business values, instead of a casual important data protection principles
long-term consumer confidence in afterthought. By placing the in particular in certain regions of the 21
the safety of the global digital principle of data protection by world.2 This variety of global data
marketplace. This is why GDPRs design and default at its heart, GDPR protection initiatives, some driven by
jurisdiction cannot be limited to the requires organizations to only GDPR and some not, is one of the
European Union (EU) and requires process the personal data necessary reasons that organizations seek to
extraterritoriality to be addressed. for the specific purpose for which it work with data protection advisors
was collected, and to implement with international knowledge and up
In our experience, many
controls to protect that data to date, relevant experience of these
organizations that are located
throughout the process lifecycle. And frameworks.
outside Europe but have a global
employee and customer base, remain what counts as personal data? GDPR
behind the curve in assessing the defines this as any information DONT FORGET THE PR IN
risks and opportunities of GDPR. relating to an identified or GDPR
They do not have clear visibility, identifiable natural person. This may For GDPR, or indeed any compliance
understanding, and control over the include data such as physical to be effective, failure must carry a
personal data they process, nor address, email address, IP addresses, reputational risk. Organizations that
appropriate access to its movement age, gender, location, health think this is just an IT issue have
across multiple geographical information, search queries, items missed the fundamental necessity
locations. This lack of engagement purchased, cookies and RFID tags for for every department within the
could be a risky strategy. With any EU citizen. business to think hard about data
massive fines and requirements for privacy. Sales, Marketing, HR,
As well as trying to investigate how
notification that will push more Finance: all process data and
the directive applies to their
breaches into the public eye, GDPR therefore may introduce risk. The
businesses, many of the
promises to make data privacy a new requirements for data breach
organizations that we talk to are
potential public relations challenge. reporting within 72 hours will be a
using GDPR as an opportunity to
With proposed penalties for falling challenge for many organizations
review and fully understand the
short of compliance including fines not just in how and what to report to
personal data that they retain. Many
of up to four percent of total the regulators, but in actually having
wish to find practical ways to
the right systems in place to assess

INSIGHT
and analyze a breach. Not

forgetting that the regulators
could come knocking at any
time to ensure that adequate
protections are in place and a
failure to satisfy them may
result in a fine, even if an
organization has not suffered
a breach.
The principle of
accountability within the
regulation requires clear lines
of responsibility and
reporting. The GDPR,
therefore, mandates the
appointment of a data
protection officer (DPO) for
certain types of businesses
either because they are
public organizations, or
because their activities
include regular and
systematic monitoring of
22 data on a large scale.
Organizations are at varying
stages of readiness for GDPR
from identifying and strong data protection system the continuous road of privacy
clarifying the exact requirements facilitates data flows by building compliance, as in the race for
and effect of GDPR to reviewing the consumer confidence in companies increasingly innovative technologies
adequacy of their existing program that care about the way they handle that strive to make human life more
or seeking to create audited evidence their customers personal data.3 In efficient or fun. Consequently,
of implemented controls and our experience, organizations across businesses cannot afford to let GDPR
compliance with GDPR (see Figure 1). the globe are at very different stages constrain their digital aspirations. If
Wherever you are on your journey, in their preparations for GDPR. But the road gets bumpy, organizations
this will require security and DPO whatever stage they are at, it is clear may want to consider qualified
executives to work together on that international businesses external partners ready to help them
assessing their GDPR readiness: wishing to operate in the global navigate the long compliance
digital market must think about the journey ahead.
WHERE ARE YOU ON YOUR impact of GDPR in order to seize its
JOURNEY TO GDPR? commercial opportunities, as well as The opinions expressed within this article are the
personal opinions of the author. The facts and
Protecting and exchanging personal mitigate risk. But as we have said, opinions appearing in the article do not reflect the
views of CISO MAG and CISO MAG does not assume
data are not mutually exclusive. A GDPR is just another milestone on any responsibility or liability for the same.
Techcrunch: General Data Protection Regulation: A Milestone Of The Digital Age https://techcrunch.com/2016/01/10/the-biggest-privacy-law-
1.
in-the-world-has-arrived/
Data protection regulations and international data flows: Implications for trade and development, UNCTAD (2016):
2.
http://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf
3.
European Commission COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Exchanging and
Protecting Personal Data in a Globalised World: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0007&from=EN

AD_Layout 1 7/10/2017 1:36 PM Page 23
COVER
STORY
SECURING
A SMARTER
WORLD
Augustin Kurian
24

COVER
STORY
T
he concept of smart technology (ICT) with the Internet of
cities has triggered Things (IoT) and Machine to
evangelical fervor in a Machine (M2M) for effective
variety of management.
stakeholders from
Smart cities often pose complex
planners to engineers
challenges that require several
to futurists. The
organizational and regulatory
concept of smart cities integrates
changes focusing on the latest
multiple technological solutions
technologies and communication
electronically, creating a secure
through the Internet. While many
environment for the management
city governments are excited to turn
of a citys infrastructures. It also
their city into a smart city, they
brings local information systems,
dont always focus on smart
hospitals, schools, transportation
regulations, governance, and
systems, and law enforcement
security. Laws and regulations
under one grid and efficiently uses
safeguarding the privacy of citizens
real-time control systems and
and the security of systems are
sensors from data gathered from
sometimes considered an
people and enterprises leading to
afterthought as technology and
optimized systems. The architecture
infrastructure develop faster than
of smart cities integrates
the tools of security.
information and communication
One of the key areas that needs to 25

be addressed is the security of the
Building Internet of Things (BIoT),
the next generation of green,
intelligent buildings that are
integrated, open architected, IP-
centric, energy efficient,
connected, and operationally
efficient. A report titled Cyber
Security in Smart Commercial
Buildings 2017 to 2021, notes
that The cybersecurity market of
smart commercial buildings is
largely immature and poorly
defined. This is due to the
perennial confusion about the
cybersecurity industry.
Stakeholders in the success of a
project often do not realize until
its too late that they must
incorporate security into their
projects. Many important
THREATS AND stakeholders still lack an

understanding of the cyber
threats a smart city represents.
VULNERABILITIES Immaturity and poor definition of

smart commercial buildings also

COVER
STORY
leave room for risks. Without a more conflicting or overlapping

comprehensive understanding of According to a regulations, and confusion. In the
threats posed, they [many important future when connectivity and
stakeholders] are struggling to find Kaspersky Lab report network grows, there are chances
the right strategies and strategic entitled Fooling Smart that critical infrastructure get
partners to address the issue. Many vulnerable leading to catastrophic
organizations simply do not have the Cities, most terminals breaches and cyber terrorism.
experience or training necessary to do not have reliable According to Heath Renfrow, CISO of
develop a viable security policy,
Army Medical, We have to look at
protect critical assets and network protection. From a our critical infrastructure across the
environments, or identify and technical point of view, board. You can come across several
respond to todays more
attacks that are happening. Saudi
sophisticated attacks the report almost all these Arabia and many other countries in
suggests. terminals, irrespective the Middle East have been crippled
Along with BIoT, another vulnerable with the attacks on their critical
component of smart cities is their
of their purpose, are just infrastructure.
ubiquitous smart terminals. Parking your everyday PC with It may not be wrong to say that a
terminals, public mobile device
charging booths, bicycle rental spots,
kiosk mode activated on potential cyber 9/11 is on the
horizon. If such an event were to
etc., become part of the landscape of a touchscreen interface. occur, it could cripple an entire
a connected city and all these smart
country taking down the power
terminals are interlinked and
irrespective of their purpose, are just grid, water infrastructure,
connected to the local area networks.
your everyday PC with kiosk mode transportation networks, and
These smart terminals sometimes
26
activated on a touchscreen interface. financial networks.
maintain sensitive user data
including personal and financial Kiosk mode blocks users from Research commissioned by IP EXPO
information. Since the terminals are accessing the operating system (OS), Europe revealed that nearly half the
available around the clock and in and is supposed to ensure they information technology decision
public places, they are highly access a limited set of features meant makers in the United Kingdom
vulnerable to hacking. In fact, there for a designated task. identify cyber-terrorism attack as the
are numerous reported incidents of Smart cities are invariably being built biggest threat in the future, followed
public terminal hacking. upon existing cities. This is a problem by attacks on grid and national
because, as any cyber expert will tell infrastructure. In fact, traditional
According to a Kaspersky Lab report
you, the critical infrastructure cyber threats, such as malware,
entitled Fooling Smart Cities, most
underpinning most modern cities ransomware, and DDoS attacks, were
terminals do not have reliable
exists in a patchwork of old systems, ranked lower than infrastructure
protection. From a technical point of
dozens of governmental bodies, hacks.
view, almost all these terminals,
DATA AND PRIVACY

Smart city initiatives often create security seem to only be tacked onto privacy policies is a given. I think you
thousands upon thousands of words projects as an afterthought. have to first give the citizens the
of new proposals and collaboration right to opt-in or opt-out. Then all
Wim Elfrink, executive vice president
options from governments but the these policies, longer term, security
of industry solutions and Chief
word privacy is rarely mentioned. As and privacy are going to be the
Globalization Officer of Cisco, in an
is so often the case with new biggest imperatives. If we dont solve
interview with The Guardian said,
technology, considerations for this, people will opt-out more."
Having security policies, having

COVER
STORY
27
STANDARDIZING
SECURED ARCHITECTURE
The concept of smart cities is still in a Lim Chee Kean, CEO of Standardizations are
prototype phase. The early adopters Ascent Solutions and pivotal, as they
like Singapore mandated a standard deputy chairman of These ensure effective
to act as a tool to ensure that the Internet of standards will management.
government, agencies, and planners Things Technical help the other projects Kean stressed
understood a common language of Committee that standards
development. In Switzerland, the (IoTTC), while
to identify key areas like will enable
International Organization of talking to roadway development, public and
Standardization (ISO) is developing a Spring.gov said, energy conservation, safety, private
tool under the ISO 37120 series that We are currently transportation, pollution agencies to
will provide support for the smart looking at checks, and wastewater manage real-
city initiative and lay the foundation developing time
management.
for the rest of the world to join. These standards that cover information to
standards will help the other projects the end-to-end deliver improved
to identify key areas like roadway architectural framework of services. According to
development, energy conservation, the IoT to enhance the ability Kean, standardization helps
safety, transportation, pollution of smart applications and devices to organization establish best practices,
checks, and wastewater work together. which enable better compliance with
management. data security legislation.

COVER
STORY
28
REGULATORY HITCHES
Heavy reliance on technology creates organizations often mean vested should be a better and novel legal
numerous challenges to regulators. interests and agendas, as well as framework that puts individuals first.
The information traffic is huge and concerns like data privacy, data The complexities of smart cities
there is massive data that needs to be sharing, protection of sensitive create new and unique threats. It is
managed. information, identity thefts, and, crucial that a smart city is composed
even worse, vulnerability to cyber of mechanisms that not only serve as
A major concern is meeting the
attacks. a medium of effective communication
expenses of such a colossal program.
but also contribute to the security of
This can only be achieved if At present, stakeholders of smart
the city. Laws and regulations can
governments collaborate with cities might need to fundamentally
either build or break a smart city.
private parties, but private rethink some key components. There

AD_Layout 1 7/10/2017 1:37 PM Page 29
TABLE
TALK

There are no
government
regulations
guiding the
way critical
infrastructure
is directed.
30

FEW MINUTES WITH
HEATH RENFROW
Amber Pedroncelli

TABLE
TALK
S
hortly after the vulnerability from WannaCry, which

WannaCry hack broke, has exposed and taken advantage of
Amber Pedroncelli of across our medical devices. So we're
CISO MAG sat down in contact with the vendors right
with Heath Renfrow, now saying. Please tell us what you
CISO of Army Medical,
they probably can do to get this pass and give us
to talk about how the could at any time the patch' So, we've been burning the
hack impacted his business. lines.
First, some background. Renfrow
lock down our grid Ominously, he goes on to say what
joined the Navy in 1997 and started and shut it off. many experts in information security
working in tactical communications. have been saying, We do feel that

For around 9 years, he travelled this is just a precursor. That is
around the world working on everything in my community and
satellites, UHF, and high frequencies, everything in the DOD community is
and was deployed to the Middle East indicating that this is just a precursor
during Operations Enduring Freedom around the world, and we have over to something probably bigger. All
and Iraqi Freedom. He got into 600 clinics, over 700 thousand indications are that this is a nation
information security organically medical devices. We also have the hack, an attack from a certain
during this time. veterinarian clinics at 100 locations nation... There are theories that it's
across the globe. Yes, Army Medicine North Korea, I don't know that for
In that world, you start seeing, for
has vets. We do have dogs, and horses sure, but I wouldn't be surprised.
instance in the field when we needed
to make adjustments we would make and other things, which are part of One of Renfrows passions within
adjustments to equipment that was our infrastructure. And we also have information security is critical
made by manufacture, so in essence all our dental locations around the infrastructure. 31
we were hacking. To be able to get globe. So, it's a very broad and vast
environment. My coworkers that I've worked with the Army Core
the functionality we needed out of it.
don't work cyber that work with me engineers as a consultant, working
And that originally started piquing
like to walk around and go, "How's on their Skater and ICS networks
my interest in seeing that, using DOS
the empire today, Heath?" So ... across the country. And when you
capability back in the day, and FTP
think about those, those control your
into servers that I needed to get into Does that make him an emperor? dams, they control your levees for
to pull data from, even though the
Well, I'd like to think of myself not as your waterways, for all your rivers,
system administrators didn't know I
an emperor, but more as the guy who like the Mississippi River for example.
was in there. After leaving the Navy
is smart enough to hire people who And you can imagine the damage
nine years later, he decided to focus
are smarter than him to work across that can be done if a hacker is able to
solely on technology at the Joint
the globe. get into those systems and
Interoperability Test Command at
manipulate them.
Fort Huachuaca in Arizona. As part of When asked about the recent hack,
his duties as an Action Officer, he Renfrow answers honestly, saying What he learned during his work on
noticed the military GPS systems I'm fighting that battle right now, critical infrastructure paints a dismal
were vulnerable to spoofing Amber. Just to give you an update on picture for doomsday scenarios in
prompting him to think, as he puts it, our current situation, we've decided the U.S. Some [systems] don't even
Well, I think this cyber thing is in DOD to go another level with have security built into their
gonna be a big deal. So this is around WannaCry. I have not slept probably infrastructure at all. I gave you an
2002, 2003, and I ran with it. in 48 hours, my teams are working example last time we talked about
diligently with the Med Law the ugly gorilla hack that happened
Now, as the CISO for all of Army
community, who handles most of our in the Midwest of an electrical grid a
Medical, he has his hands more than
medical devises at our MTS. We're couple years ago. Chinese were the
full. In his own words, his job sounds
talking to vendors right now. We're folks who got in there. They poked
exhausting. To go over Army
trying to get the patch for the around, they took schematics, they
Medicine just real quick, we cover the
Microsoft patch to fix this gathered data. Thats historically
globe. We have 48 medical hospitals
what they do: they steal information,

TABLE
TALK
they take information and they tuck

it away. And they've probably done
that across our entire grid, and they
probably could at any time lock
down our grid and shut it off.
He is optimistic about the future and
the possibility of a more secure
system, however. I do not believe it's
something we can't fix. For example,
your [US] electrical grid is made up of
over 3,000 private and public entities.
Most people don't realize that. That's
a lot of people to try and tie together.
That's a lot of people that are trying
to follow the same path. There are no
government regulations guiding the
way critical infrastructure is directed.
The President could, but it's never
happened, direct the private sector to
do certain things. When you have
this portion in the Midwest and
Southwest, and everybody doing
their own little thing thats where it
32 gets difficult.
On the subject of the complexities
inherent in medicine, Renfrow is
pragmatic and introspective. I have
gone from a cybersecurity guy who is
black and white, to someone who
has a little bit of a gray view on We're working very hard on our

things. The challenge with health relationship with our medical
care medicine and health care vendors, we are pushing the NIST
security is you're dealing with a framework, risk management
hospital and patient care, and that is So, the vulnerabilities framework, and to all our packages.
the number one priority of that We are actually scanning and trying
hospital and the people within that are there and the risk to accredit these systems across the
hospital, and also us cybersecurity globe right now. And it's a challenge.
folks. And I had to learn real quickly
is there, but getting It's new to the vendors, it's been a
that just because a medical device for vendors to come cultural change that is slowly
example had, what we would starting to happen. I'm working, it's
consider vulnerabilities, I couldn't onboard and adhere to one of the reasons I volunteer to do
just go up and make my folks patch conversations like this because I'm
it. I had to learn about the FDA and
the NIST framework trying to get the word out there to
certification of medical devises and and scan their issues anybody in the health care field that
that the vendors are in charge of the may have challenges with medical
patching should they choose to allow has been a huge devices. We have to somehow team
it to happen, the integrity of the up, because, believe it or not DOD
system has to be maintained or a
challenge. medicine is a very small portion of
the pie for these medical folks. And

patient's life could be at risk.
do not get me wrong, I don't believe
It's all about measuring the risk.

TABLE
TALK
[May 24, 2017]. They confirmed that What weighs on his mind even
the ransomware took over the MRI more heavily than vulnerabilities
device. So, the vulnerabilities are in medical devices? Facility control.
there and the risk is there, but
I am not worried as much about
getting vendors to come onboard and
medical devices as I am about my
adhere to the NIST framework and
facility's folks who handle all of your
scan their issues has been a huge
facility control devices for our
challenge. We've actually had
hospitals. That ranges from the HVAC
vendors tell us. Listen, you're a small
systems to your doors going in and
part of the pie for us and we're not
out of your building, or in or out of
gonna even play with you.
your ICU. So those are truly the
As good CISOs do, Refrow things that keep me up at night.
understands the business. Not just Medical devices are medical devices,
the business of Army Medical, but and I think that we've built an
the businesses of his vendors. It's architecture around our devices that
about money. And in my world, it's I can go to sleep at night and say,
very hard too because we're DOD. "We're pretty good." My facility
And business is important, even in control devices, which a lot of
Army Medicine. So what I've had to vendors need access to and run
learn is, I can't say no. So, I design an things for the HVAC system - those
architecture, and we have designed are the things that keep me up at
our architectures around minimizing night. My HVAC system goes down in
risk for a particular device. Say we my hospital, or my doors get locked
have a device that's severely at risk, out, and there's a ransomware that 33
and patching, for example. There's a pops up on one of those things, then
lab company, and I won't name that I'm putting patients lives at risk. Not
company, but they have some severe me but the attack is. And then how
issues with their suite. And because am I solving that issue? So we're
of that, my hospital will be crippled if working on those technologies are
I shut down that lab. Because it's got even worse than medical devises.
our vendors are purposely putting
to communicate to the EHRs, got to Because they weren't ever built to be
out unsecure devices out there. I
enterprise, but they are enterprised.
think it's a lack of understanding, communicate out to the outside
Right or wrong, we do close
and it's the new world we live in. world. So, I have to find the right
architecture and we have close
Everything has to be connected, stack to put it in. And what I mean
restricted networks and everything
everything has an IP address to it. by stack is we do VLN architecture
else like that for our private network,
our medical devices, and we look at
He understands the risks and has but there's always that exposure and
the commination past for those
seen what can happen with unsecure that capability may be possible if
medical devices. He gives the devices. Do they need a B2B, or does
somebody can enter your facility
impression that he has taken the vendor have to get data from it,
control devices. And they are
examples of others failures to heart. does it have to talk to the EHR? And running all on outdated equipment,
Billy Rios, who proved the Laris then we design an architecture because their lifespan is 20 to 30
Fusion Palms and found that flaw. around that. And then minimize the years. And patching hasn't been
And then you also have the risk with defense-in-depth and put done.
pacemaker by St. Jude that recently all the right pieces in. I haven't said
no to anybody yet. I've asked for as His advice to CISOs and aspiring
has been showing the vulnerabilities
much support from the vendors as I CISOs?
that can be there. And even one
WannaCry was able to get into the can get and then we have to look at it Theres no such thing as 100 percent
Bare MRI machines in at least two from a prospective of how do we get fix, and 100 percent security, you're
locations proven and confirmed by the functionality and minimize the always going to have risks. It's just
Bare MRI this week, as of Wednesday risk? how you manage it.

AD_Layout 1 7/10/2017 1:39 PM Page 34
AD_Layout 1 7/10/2017 1:39 PM Page 35
IN THE
HOTSEAT
In a business landscape characterized by dynamic trends and events,

change is the only constant. Many organizations often bring about a
change in their leadership to achieve the desired results from a new
direction, to create and disseminate a vision, or just to breathe new
life into the corporate structure. The field of information security is no
different. In this segment, we take a look at some of the new
appointments in the information security domain.
CISO MAG staff
GENERAL MICHAEL
HAYDEN JOINS ROOT9B
ADVISORY BOARD
M
36
ichael Hayden, a
retired four-star
general, recently
joined the advisory
board of root 9B, a
U.S.-based company specializing in
real-time hunt operations as well as
assessment and analytic products.
With both leadership and technical
teams made up entirely of
cybersecurity professionals who
honed their craft securing DoD
networks and communications,
General Hayden is a perfect fit.
General Hayden, who currently
works as a principal at The Chertoff
Group, served as director for Central
Intelligence Agency (CIA) between
2006 and 2009 and the National
Security Agency (NSA) between 1999
and 2005. He drove a number of
well as the highest military industry, said General Hayden.
initiatives to tackle terrorism and
intelligence officer in the country. Today's cyber warfare needs a
cybersecurity challenges during his
unique solution which the team at
tenures with the CIA and NSA. He The team at root9B, starting with
root9B is uniquely qualified to offer. I
was also the first principal deputy Eric Hipkins, John Harbaugh and
look forward to being a part of this
director of national intelligence as Mike Morris, is unparalleled in the
team moving forward.

IN THE
HOTSEAT
JD SHERRY APPOINTED AS CRO OF REMEDIANT
R
emediant, a for Trend Micro where he
cybersecurity managed vendor relations
startup based in and guided cybersecurity
San Francisco, U.S., programs and other business
appointed JD development activities.
Sherry as their chief revenue
We are going to capitalize
officer (CRO).
on recent success in some of
A technology veteran who our larger install bases to
has held various leadership further mobilize Remediant
roles, Sherry worked as the into the financial, healthcare,
general manager and vice retail, and government
president of cloud security verticals," said Sherry.
for Optiv Security. Prior to "Compromised privileged
that, he worked as the CEO of accounts are a massive
the cybersecurity firm problem that needs an
Cavirin. Under his elegant and cost-effective
leadership, the company was solution that can be
ranked among the top 20 managed in a scalar fashion
hottest cybersecurity with limited resources. Our
companies in 2015, innovative approach stops
37
according to Cybersecurity attacker lateral movement in
Ventures. He has also served its tracks without impeding
as the global vice president productivity.
ABILITY INC. ANNOUNCES NEW DIRECTORS
A
bility Inc., an Israel- Dori Group, a real estate time bidding technologies.
based provider of development company.
Anatoly Hurgin, Ability's co-founder
tactical communications
Polak, a retired Brigadier General and chief executive officer,
intelligence solutions,
from the Israel Defense Forces, will commented, "We have assembled a
announced three new
head the Nominating Committee slate of highly-qualified finance and
additions to its board of directors
and serve on the Audit and business professionals with decades
Levi Ilsar, Brigadier General (Ret.) Eli
Compensation Committee. He served of leadership experience with
Polak, and Nimrod Schwartz.
in the defense forces for three growing and profitable companies to
Ilsar will serve as the chairman of decades and is currently serving in provide strategic oversight and
the Board of Directors and chair the the intelligence reserve corps. governance of our business. I
Audit and Compensation welcome each of them and their
Schwartz will serve on the Audit,
Committees as well. He will also input and wisdom. I have no doubt
Compensation, and Nominating
serve on the Nominating Committee. that their individual and collective
Committees. An entrepreneur and
He is a veteran of more than four guidance will be of great value as we
investor, Schwartz currently serves as
decades in accounting and finance navigate the Company towards
president and chief business officer
and has served on the boards of stability and future growth.
at NUVIAD, Ltd., a provider of real
directors of various subsidiaries of U.

IN THE
HOTSEAT
STEFAN MAIERHOFER JOINS FORCEPOINT FOR EUROPE OPERATIONS
I
n a move to expand its was the regional vice president for
operations in Europe, Central and Eastern Europe at Palo
cybersecurity firm Forcepoint Alto Networks where he steered
appointed Stefan Maierhofer as companys regional business. He also
area vice president of Central served as senior director of sales for
and Eastern Europe. Maierhofer Central and Eastern Europe at F5
oversees partner relationships, Networks.
insider threats, cloud and network
Talking about his appointment,
security, and is important for the
Maierhofer said, "Forcepoint's
companys European business.
transformative outlook on behavior
Stefan Maierhofer will report to
and intent of users positions the
Senior Vice President of EMEA sales,
company to transform the
Andrew Philpott, who works from
cybersecurity industry. I look
the companys Munich office.
forward to helping our customers in
Maierhofer has over 30 years of Europe protect the human point
leadership experience in the where data is most valuable and
technology industry. Prior to this, he most vulnerable.
38
JACKIE GROARK JOINS VERISTOR AS DIRECTOR, SECURITY/CISO
I
T solutions provider According to her LinkedIn
Veristor Systems, Inc., profile, Groark has served
specializing in virtual Southern Company for 36 years,
infrastructure and cloud starting as an Application
services solutions for Developer in 1981. Other roles
enterprises, announced the held by her include Application
appointment of Jackie Groark as Service Supervisor, Client
Director, Security/CISO. Services Manager, IT Web
Infrastructure and Messaging
An expert in security operations
Manager, IT Infrastructure
and strategies, Groark has served
Senior Manager, and IT Business
as IT Security Director, Threat
Excellence Senior Manager.
Management & Intelligence
with Southern Company, where "I was honored to have had a role
she directed the ground up in securing one of our nation's
development of a Security most critical infrastructures,"
Operations Center (SOC). She said Groark. "I am excited to be
oversaw threat monitoring, able to contribute to our
incident response, content customer's success in the area of
development, and threat security from my experience. I
intelligence. look forward to helping
customers chart a successful
The new appointment comes as
course when it comes to
a major shift for Groark.
securing their business.

IN THE
NEWS
Due to several data breaches in 2017, cybersecurity is a buzzing topic.

It is imperative that information security executives are updated about
the incidents around them. Read on for the 10 most important
cybersecurity stories of the first half of 2017.
CISO MAG staff
39
WANNACRY WREAKS HAVOC
A
global attack called agency until hacker group Shadow cryptoworm transferred and ran the
WannaCry Brokers leaked it. WannaCry ransomware package. The
unfolded on Friday, ransomware encrypted data and
The attack: The cyrptoworm
May 12, 2017, demanded ransom from victims in
targeted Windows computers using
using a flaw in Bitcoin cryptocurrency.
the EternalBlue exploit taking
Microsofts
advantage of the Windows' Server Effect: WannaCry has been dubbed
Windows
Message Block (SMB) protocol, as one of the most infamous
operating system. The flaw,
installing a backdoor implant tool ransomware attacks ever, affecting
discovered by the National Security
called Double Pulsar. Then, the more than 150 countries and 230,000
Agency, was kept under wraps by the

IN THE
NEWS
computers. Chinese authorities have Current situation: The attack Japanese automakers Nissan and
put the number as high as one considerably slowed down after a 22- Honda. Honda had to disrupt the
million computers worldwide. year-old web security researcher, production of about 1,000 vehicles
Marcus Hutchins, found a kill switch. during the attack. ZDNet recently
The worst hit nations were the
Researchers also found ways to reported that the attack was
United Kingdom, U.S., Russia, China,
recover data from several infected perpetrated by North Korean hacker
and Spain. The attack immediately
machines. But, reports of new group, The Lazarus Group, which was
affected several national bodies and
versions emerged that lacked a kill earlier linked to the 2014 hack of
enterprises like National Health
switch. Sony Pictures.
Service (NHS), Telefnica, Renault,
FedEx, Deutsche Bahn, among others. Among the recent victims were
FEDERAL PROSECUTORS LIED IN

CHELSEA MANNING CASE
I
nvestigations into the
diplomatic cables provided
by Chelsea Manning to
Wikileaks revealed that the
documents were not
40 nearly as damaging to
national security of United
States as prosecutors once claimed.
Chelsea Manning, earlier known as
Bradley Manning, was arrested in
2010 for passing classified
information to WikiLeaks in 2013,
in what has been dubbed as the
largest breach of secrets in United
States history.
A report obtained by Buzzfeed
investigative journalist Jason
Leopold through a Freedom of
Information Act request stated
that the contents were largely
insignificant and did not cause any
real harm to U.S. interests.
martial for 22 crimes, including prison sentence. Activists and media
On the most crucial Iraq war-related aiding the enemy, for 35 years. While cheered for Chelsea stating, Obama
documents, the report stated with serving her term, she gained massive rescued Manning from an uncertain
high confidence [Wikileaks and support from activists of free-speech future as a transgender woman
Mannings] disclosure of the Iraq and the advocates of the transgender incarcerated at the mens military
data set will have no direct personal community. prison. On May 17, 2017, Manning
impact on current and former U.S. was released from a Kansas military
leadership in Iraq. Earlier this year, former President
prison after serving seven years of
Barack Obama commuted Chelseas
Chelsea was sentenced by court- the 35-year sentence.

IN THE
NEWS
DISNEYS FITTING REPLY TO

CYBER FRAUD
K
eeping movies and
TV series hostage
for ransom isnt a
new thing in
Hollywood.
Recently, Disney
received threats of
leaking the latest outing from the
Pirates of Caribbean franchise Dead
Men Tell No Tales unless the
company pays a ransom.
Disney immediately announced the
news, declined to pay the hackers,
and sought help from the FBI. happened and, from the beginning, stated, To our knowledge, we were
Website TorrentFreak, meanwhile, no one had ever spoken about the not hacked. We had a threat of a hack
conducted its own investigation and new Pirates film being the hostage, of a movie being stolen. We decided
suggested the hacking threat was the website TorrentFreak wrote. to take it seriously but not react in
probably a hoax. Our conclusion was the manner in which the person who
Disney Chief Executive Bob Iger, 41
that the hack almost certainly never was threatening us had required.
while talking to Yahoo Finance,
BELL CANADA GETS ATTACKED
C
anadas largest the company said in a statement.
telecommunications
This is not the first time Bell Canada
company, Bell
has made the news for privacy
Canada, was a victim
concerns. Back in April 2015, the
of a major cyber
company was flagged by the
attack in May. Nearly
Canadian Privacy Commissioner over
two million customer
its customer tracking policy. The
account details were stolen, along
Canadian Privacy Commissioner
with 1,700 names and active phone
Office instructed the company to
numbers, by an anonymous hacker.
implement an opt-in format for
Fortunately, no payment card
building customer profiles that
numbers or passwords were stolen.
facilitated targeted advertising.
The firm stressed that the attack was
Also, telecoms regulator CRTC had
not connected to the global
earlier urged Bell to stop offering
WannaCry ransomware attack. Bell
apps that enabled users to watch
Canada issued an apology note and
television from channels that were
contacted every affected customer
owned by Bell Canada without a data
directly. Bell took immediate steps with the RCMP cybercrime unit in its cap, siting concerns over Net
to secure affected systems. The investigation and has informed the Neutrality.
company has been working closely Office of the Privacy Commissioner,

IN THE
NEWS
UKRAINE WITNESSES ITS BIGGEST

EVER CYBERATTACK
U
kraine and Russia and businesses in Europe and the
faced major Asia-Pacific region, including India's
disruptions after largest container port in Mumbai.
their Danish shipping giant Maersk, the
infrastructures world's biggest advertising agency
were attacked by WPP, and Cadbury owner Mondelez
a global International were among the large
ransomware touted to be similar to companies that reported global IT
WannaCry. Among the initial victims outages following the attack. Eternal Blue, which experts believe
were Russia's top oil producer was stolen from U.S. National
Bogdan Botezatu, a senior e-threat
Rosneftm, several Ukrainian banks, Security Agency (NSA).
analyst at Bitdefender, named the
and the Boryspil International
attack Golden Eye. He reported that Matthieu Suiche, a security
Airport in Kiev, Ukraine. Following
within five hours of the attack, researcher, while talking to New York
the attack, Ukraines State Agency
malware operators received Times said, The attack is an
was forced to turn off the automatic
payments totaling almost $7,000. improved and more lethal version of
systems supporting Chernobyl's
Reports suggested that it was a WannaCry.
radiation monitoring system and run
them in manual mode. coordinated attack targeted against Reports have also emerged that
Russia and Ukraine. But, it remains ransomware is very similar to a virus
42 The hack, which was called the
unclear on how it began. Like known as Petya (Little Peter, in
biggest in Ukraines history, soon
WannaCry, the new ransomware Russian), which was discovered last
went on to affect several companies
virus also included code known as year.
CHINA CYBER LAW TAKES EFFECT
T
o counteract cyber difficult to do business in China by
warfare and data increasing costs for foreign firms
breaches, China while giving domestic companies an
unveiled new cyber unfair advantage. Many even call
law that has been the law vague and stringent for
publicized as a foreign companies who seek
milestone in data expansion in the country.
privacy regulations. According to the
According to the new law, any
new law, companies are required to
business or organization
store data like information about
transferring over one terabyte of
Chinese citizens and/or data
data or that has information
concerning national interests on
affecting more than 500,000 users,
domestic servers. The law mandates
will be assessed on its security
every firm that exports bulk data to
measures. It would also assess
undergo an annual security on marine environments would also
information on its potential to harm
assessment. be scrutinized. Destination countries
the national interest of the country.
and the likelihood of oversees
Critics argue that the law, which took
Under the new regulations, sensitive tampering would also be factored in
effect on June 1, 2017, would make it
geographic data such as information to assessments.

IN THE
NEWS
HACKER PULLS DOWN ONE-FIFTH OF

DARK WEB
I
n February, an anonymous thenextweb.com said,
hacker took down one-fifth Given that Freedom
of the dark web. Citizens Hosting II was popular
across the world cheered for with those involved in
the hacktivist when he/she the creation and
removed thousands of child distribution of child
pornography images from pornography, many of
the dark web. The hacker who those emails are likely
claimed responsibility called it a burner addresses.
vigilante move that was attained by
While talking to
targeting Freedom Hosting II, a dark
Motherboard, the
web hosting service.
hacker said, This is in
In all, over 10,000 hidden services fact my first hack ever. I
were shut down and anyone who just had the right idea. paid for hosting and the admin knew
tried to access the site saw a message Initially I didn't want to take down of those sites. Thats when I decided
from the Anonymous. The data FH2, just look through it. The hacker to take it down instead, the hacker
dump included the email details of found several child pornographic said. The hacker claimed to have
nearly 381,000 users. Troy Hunt, who sites that use more than Freedom found 10 child pornography sites 43
runs the popular service Have I Been Hosting II's stated allowance of with approximately 30 gigabytes of
Pwned? while talking to 256MB per site. This suggests they files.
FRENCH ELECTIONS HIT BY HACKING
A
fter the infamous media, especially the online media,
hacks of the 2016 not to publish information from the
US election, it has leaked documents.
been discovered
NSA director Michael Rogers
that France has
suggested the involvement of Russia
also suffered a
in the hacks. "If you take a look at
similar fate when
the French election ... we had
tens of thousands of emails and
become aware of Russian activity.
election related documents of the
We had talked to our French
now French President Emmanuel
counterparts prior to the public
Macron were released online ahead
announcements of the events
of its elections in May of this year.
publicly attributed this past
Macrons En Marche! Team called it weekend and gave them a heads-
an attempt to destabilize the up: Look, were watching the
elections and stated the team would Russians, were seeing them
find the culprit behind the act. penetrate some of your
Meanwhile, Frances presidential infrastructure," he said in a report
electoral authority warned the published in WIRED.

IN THE
NEWS
SOUTH CHINA SEA ROW AND HACKS
T
he South China Sea According to the
dispute has been a hot report from FireEye,
topic for many years Vietnamese hackers
among several states APT32 (OceanLotus
such as Brunei, the Group) attacked a
People's Republic of Philippine
China (PRC), the technology
Republic of China (ROC), Malaysia, infrastructure firm
Indonesia, the Philippines, and and a consumer
Vietnam. The dispute has now product corporation,
moved to cyberspace. Recently, the along with numerous
Singaporean militarys site was other companies that
breached in an attempt to allegedly were doing business
find classified military information. in Vietnam last year.
The Singapore Ministry of Defense Bryce Boland, the CTO
stated that it is highly probable that of FireEye, stated that
the attack was state sponsored. Also, the hackers have
cybersecurity company FireEye been targeting Philippine the organizations within the
recently stated that nation-backed government bodies as well. "This is government operate in order to be
Vietnamese hackers are most likely presumably in order to gain access to better prepared in case of potentially
44
targeting Philippines state agencies to information about military military conflict," said Boland during
gather maritime related intelligence. preparation and understanding how a press briefing.
TRUMP CYBERSECURITY ORDER

RECEIVES MIXED REVIEWS
U
S president threats. It has also instructed
Donald Trump agencies to prepare a report within
recently signed 90 days on the methods of
an executive implementation.
order to boost the
The order has received mixed
government's
reviews. A few called it, a good first
cybersecurity. He
step while others called it "too
called the issue a subject of top
wrapped up in privacy." According to
priority. The order aims to protect
Ed Amoroso, the former chief
critical infrastructure and
information security officer of AT&T,
government agencies from all
How many plans are being drafted
vectors of cyber threats. The order
by government agencies right now
intends to examine agencies moving
under the current Cyber Executive
towards cloud. It also encourages the
Order? Hundreds. And who is going
private sector to develop strategies to use a framework developed by the to read them? This is not the way
thwart cyberattacks. National Institute of Standards and Trumps executive order should be,
The bill mandates federal agencies to Technology (NIST) to manage cyber he said.

AD_Layout 1 7/10/2017 1:40 PM Page 45
EVENT
FOCUS
HACKER HALTED
TAKES A DEEP DIVE INTO
THE ART OF CYBERWAR
Hacker Halted, EC-Councils largest annual conference, will focus its
2017 edition on the teachings of Sun Tzu as applied to cyberwarfare.
The Hacker Halted speaker committee is combed through the dizzying
stack of submissions to form the agenda for this years conference with
a special focus on presentations that take the Chinese strategists
lessons to heart and apply them to the cyberwars being fought every
day across the world.
46 Amber Pedroncelli

EVENT
FOCUS
I
n a change to Hacker Halteds more hacks and more working and CCO of Pragmatick IO, Inc.;
long standing tracks, this years trojans and attack vectors than we Michael J. Masucci, a Hollywood
committee has chosen three know what to do with. What do we producer; and Mark Rasch, a
brand new tracks that focus on actually do with them? That is the CyberAttorneyformerly of the DoJ.
aspects of Tzus teaching. question this track will answer. This
After the debate and opening
track is not about how you attack it is
keynote by Chris Roberts, the track
TRACK 1: ALL CYBER WAR ALL about how you defend. When a
talks begin. Attendees will have a
IS BASED ON DECEPTION hack happens, how, where, and why
choice between talks from Dr.
2,500 years ago Sun Tzu wrote 13 do you react? How do you even know
Catherine Ullman, Senior
chapters on military strategy. Fast that you have been hacked? As
Information Security Analyst,
forward to today and we are still security experts, we have failed our
University at Buffalo;James
learning from those chapters and very charges. We continue to allow
Tubberville; Executive Director of
applying them in our newfound them to be attacked and we fail at
MINIS LLC; Dr. Fred Cohen, CEO,
digital age. This track focuses on defense.
Management Analytics; Laura
those very strategies from breaking Hacker Halteds speaker committee is SamsoPericon, Executive Vice
resistance, knowing ourselves, and, made up of an all-star team of President
of course, deception. This track will security veterans. Winn Schwartau,
focus on using deception as an aid in Centurion Technologies Consulting
Founder of The Security Awareness
defense, the great results can be LLC; and Georgia Weidman, Founder
Company and security guy since
achieved with small forces, and how and CTO at Shevirah and Bulb
1983,;Chris Roberts, Chief Security
that might apply to the potential Security LLC among many others.
Architect at Acalvio Technologies;
shortfalls we are facing in this AamirLakhani, Dr. Chaos and Hacker Halted has a long history of
industry. bringing incredible information
Global Security Strategist and
security speakers together since 2008
TRACK 2: PHILOSOPHY OF Researcher at Fortinet; Joe Gray, 47
in the US. Every year, the conference
Enterprise Security Consultant at
CYBER WAR Sword and Shield; and Adrian
has grown in prestige and audience,
In an age where war is waged over drawing bigger names and
Crenshaw, Senior Security
cables and microchips instead of incorporating more events alongside
Consultant at TrustedSec, LLCbring
battlefields, one challenge is defining the conference.
their vast networks and expertise to
what war is and when war should be the task of filling the agenda with Running alongside Hacker Halted is
declared. Boundaries are being the top security minds in the the Global CISO Forum. The CISO
eroded as the globalization of industry. event is invitation only and open to
technology continues its march director-level information security
across our physical landscape. We are The agenda for Hacker Halted has
practitioners at the director level or
facing a future where soon our very now been posted and highlights
above. This years agenda features
existence can be digitized and moved presentations from the best in the
several top names including Brian
between any number of diverse ethical hacking industry. The talks
Phillips, the CISO of Macys; Kathy
systems. What is war these days? Is it chosen resonate with the theme of
Fithen, the Chief Privacy Officer of
simply the reality that anyone with the conference as well as current
The Coca-Cola Company, and Richard
sufficient knowledge and a decent events in infosec and beyond. The
Seiersen, CISO and VP of Trust of
Internet connection can simply opening keynote presentation is
Twilio, Inc. An exciting addition to
declare war against anyone else be actually a panel debate moderated
the event will be Michael
they human, government, or nation by industry veteran and committee
Santacorangelos keynote and panel
state? War now transcends member Winn Schwartau. The focus
discussion centered around executive
boundaries - what DO we do? of the debate touches on issues that
leadership. Santacorangelo,
hit close to home for the public at
something of a CISO whisperer, will
TRACK 3: TECH BEHIND large as well as the security industry.
present on the trends he sees for
CYBERWAR The debate, entitled Hackers, The
infosec leaders, the challenges he
Media, Truth, Trust, and Alternative
Leave your 0days, leave your latest sees CISOs struggling with, and the
Facts, will feature perspectives from
hacks behind, and bring your solutions that have shown success in
Greg Carpenter, infosec professional
playbook for the blue team. We have his practice. After his keynote

EVENT
FOCUS
address, he will lead a panel growth and achievement, and has

discussion with practicing INNOVATIVE SECURITY promoted strong, innovative security
information security executives in a PROJECT OF THE YEAR practices.
conversation that will address their This award is intended to recognize
Current finalists include Manish
actual careers and bring practical the most innovative security project
Tiwari, CISO of Microsoft India;
information to the conversation. of the year. The winner of the award
PatricVersteeg, CISO of Novamedia;
Santacorangelo will also be available will be a project that is:
and Favour Femi-Oyewole, CISO of
for 15-minute mentoring sessions for Cost effective the Nigerian Stock Exchange.
any Forum attendee who would like
his insight. Impactful to the business or Winners will be announced on stage
security operations at the Gala and be awarded with
Prior to the kickoff of Hacker Halted Creative in its use or creation of various prize packages. Finalists will
and Global CISO Forum, EC-Council new models receive a package worth $700 which
will once again host its black-tie
Groundbreaking includes hotel room covered for three
awards gala to celebrate executives
Measurable nights, one guest ticket for the
in four categories. The CISO Awards
Awards Gala dinner, a Global CISO
were created to identify and
MOST IMPROVED Forum ticket, website feature, and an
celebrate the amazing work being
appearance on the Global CISO
done around the world by executives INFORMATION SECURITY Forum Podcast.
dedicated to improving the PROGRAM OF THE YEAR
information security of their This award is intended to recognize The Top 3 Finalists in each
respective companies, governments, improvements in information categorywill receive a package worth
and organizations. The award security programs that have made over $1,200 which includes
48 finalists and winners are selected use of innovative strategies to bring everything in the finalist package
and voted on by two committees value quickly to a security program plus three tickets to the Awards Gala
integral to the success of EC-Councils and the overall dinner, a press release announcing
CISO program the CCISO Advisory business/organizations goals. The finalist status, and one webinar for
Board and the CISO Events Board. winning program will show: the finalist company to tell their
Finalists and winners are selected via security story.
an anonymous judging process A baseline of the security program
before improvements including Winners in each category will be
without input by EC-Council staff.
measurable indicators given packages valued at over
Finalists for the 2017 awards so far
$10,000 which include everything
include . The finalist announcements The methods used to improve the from the first two packages, EC-
are all leading up to the program Council customized training package
announcement of the winners at the Challenges encountered and the for staff, and apress
CISO Awards Gala in Atlanta, GA on solutions implemented to overcome releaseannouncing the winners.
the night of October 8th, 2017. The them A thorough analysis of the
award categories are: program after improvements were Hacker Halted 2017 and the events
implemented including measurable that surround it will be a valuable
CISO OF THE YEAR indicators event for the information security
This award, available only to community at large. By bringing
Information Security Executives (VP, C|CISO OF THE YEAR together committees of experts to
CISO, etc.), recognizes an individuals build each aspect of the conference,
This award, available only to EC-
outstanding work in information the quality of speakers, award
Council Certified CISOs (C|CISOs),
security. EC-Council will be honoring winners, and panelists continues to
recognizes an individuals
one executive who has contributed increase each year, keeping pace
outstanding work in information
to the information security industry, with the trends in information
security. EC-Council will be honoring
shown tremendous professional security to arm practitioners with
one C|CISO who has contributed to
growth and achievement, and has the skills they need to keep the
the information security industry,
promoted strong, innovative security worlds data safe.
shown tremendous professional
practices.

KICK
STARTERS
With cybersecurity gaining more importance than ever, cybersecurity

startups have become a main attraction for venture capitalists. The
cybersecurity market has seen tremendous growth despite the
slowdown in the global economy with many companies inking record-
breaking funding deals with venture capital firms. The influx of money
has driven innovation and solutions to important security challenges.
In this section, we look at some emerging companies making waves in
the information security domain.
CISO MAG staff
49
SENTINELONE
F
ounded in 2013, detect, and respond to malware and don't do a good enough job of
Sentinelone specializes insider-based attacks without protecting at the endpoints.
in innovative endpoint signatures or cloud access. Network-side solutions simply have
protection. The too limited visibility into threats,
The company claims that its
company was formed says Sentinel Labs co-founder and
approach is based on the thorough
by cybersecurity and CEO Tomer Weingarten in an
inspection of all system processes
defense experts from interview with Pando.
and innovative machine learning
IBM, Intel, Check Point Software
leading to the quick isolation of Claiming to have witnessed
Technologies, McAfee, Palo Alto
malicious behaviors and the tremendous growth in the last 12
Networks, and the Israel Defense
protection of devices against months, the startup recently signed a
Forces.
advanced targeted threats in real deal with one of the worlds largest IT
Sentinelone provides companies time. technology distributors, Avnet Inc. It
with the option to replace their aging is now planning for global expansion
The age of the antivirus is over. The
antivirus solutions with its endpoint and has grown its executive
threat landscape is rapidly changing
protection platform that can prevent, committee.
and the current security paradigms

KICK
STARTERS
MYKI
M
YKI, a Beirut- reasons, and market
based analysis also showed
cybersecurity that people were not
startup, interested in carrying an
claims to electronic device with
have them. Due to this, the
developed company migrated to a
the first advanced password and software-as-service
online identity manager in the (SaaS) format and
region. It provides smartphone users launched MYKI.
with secured access to online
MYKI is a revolutionary
services and cuts down on the need
solution that eliminates
to manually type user login
the need for usernames
credentials every time users access
and passwords. What
services. It also offers secured
started as an idea,
password management solutions.
flourished into a
The firm, initially known as Ki, working model that
offered security tokens by the same could change the way people use stage, but to touch people by
name. According to the founders, technology in their lives and will simplifying their everyday lives and
50 prototyping and editing tokens in soon be available for the masses. Our showing them the possibilities, said
Middle East and North Africa (MENA) goal was not just to take the project Priscilla Elora Sharuk, co-founder of
region was difficult for logistic from the concept to the execution MYKI.
SEQURETEK
S
equretek is an user services. Avatar engages in
enterprise security solving issues pertaining to
solutions provider governing all technology privileges
founded by Anand that are given to employees from
Naik, former the time they join an organization
managing director at to their exit. The second product,
Symantec South Kawach, secures endpoints
Asia, and Pankit Desai, former (laptops, desktops, mobile) from
president at Rolta India. The external, internal, and device-
company claims that its product related threats.
and service portfolio reduces
At the enterprise level, Sequretek
security complexity in
offers integrated & managed
organizations. The key areas the
cybersecurity that ensures
company operates in include
organizational security 24x7 across
financial, IT/ITES, retail, pharma,
all threat vectors and derives
and logistics.
actionable intelligence. Sequretek
Sequreteks product Avatar focuses provides organizations with a
on endpoint control, application companywide risk score that helps
access, infrastructure access, and them understand their risk profile.

KICK
STARTERS
APVERA
A
Singaporean and signature-based
cybersecurity methods will be
startup founded in outdated in the near
2014, Apvera future and stresses
claims to specialize installing real-time
in machine endpoint profiling
learning to predict and anomaly
and prevent threats and cyberattacks detection for a 360-
by deploying behavior analytics. By degree view of
monitoring both internal and security concerns.
external threats, Apvera helps
Investing in and
companies prioritize their resources.
developing
The company employs adaptive
Singapores digital
techniques to monitor network and
capabilities will only
user behavior. Due to this, it can
help transform the
quickly analyze changes in user and
threat landscape to
network behavior that are not in line malicious activities which could
further safeguard corporate assets,
with the usual patterns, defending otherwise leave them open to
improving both social and corporate
against all possible internal and potentially damaging attacks, Eric
responsibility. Regardless of size,
external breaches. Meyer, CEO of cybersecurity firm,
companies need to protect 51
Apvera argues that threat protection themselves from cyber threats or Apvera, told Tech Wire Asia.
EVERLEDGER
F
ounded by Australian European Financial
entrepreneur Leanne Technology Awards
Kemp in 2015, 2016.
Everledger is a global
"Blockchain is
digital ledger that
immutable; it cannot
reduces cyber fraud. The
be changed, so records
startup claims that it
are permanently
specializes in tracking and protecting
stored," said Kemp
diamonds using blockchain the
while talking to WIRED.
technology behind bitcoins.
"Information on the
Everledger provides a history of each blockchain is
items authenticity to every cryptographically
stakeholder, from traders, consumers, Apart from this, it has won proven by a federated
insurance companies, and financiers. numerous global startup consensus, instead of being written
Since its inception, Everledger has competitions like Open Talent by just one person."
achieved a significant recognition in Competition: BBVA Europe 2015, The company is mulling over
the international diamond industry Innovation in FinTech: Meffy Award extending its technology to other
and has digitally certified over 2015; Best in Show: FinTech Finals items of value like luxury goods and
980,000 diamonds. 2016; Best Blockchain Company: art work.

KICK
STARTERS
DIGITAL SHADOWS
H
eadquartered in
San Francisco
and London,
digital risk
monitoring
company Digital
Shadows gives
organizations an attackers view of
threats and vulnerabilities. It
monitors over 100 million data
points across all web vectors like
visible, deep, and dark web, helping
organization, detect, protect, and
mitigate threats at the earliest point
possible.
Digital Shadows finished 2016 with
more than 880 percent revenue
growth over 2015 and has expanded organizations detect mobile Shadows. But we know that a large
its operations in the U.S and Europe. application threats. percentage of mobile applications
It was also recognized as One of will fail basic security tests and this
52 Worlds Most Innovative Mobile is no longer a niche or
digital risk presents enterprises
Cybersecurity Technologies by SINET isolated part of an organizations
everywhere with brand protection
in 2016. digital footprint. New devices and
and data risk threats. In an
applications are the status quo and
Earlier this year, Digital Shadows increasingly mobile-first world, our
organizations must be able to
expanded visibility into mobile customers now have the ability to
identify the digital risks associated
driven risks with the enhancement precisely account for evolving threats
with them, said Alastair Paterson,
to its digital risk management, jeopardizing irreplaceable
CEO and co-founder of Digital
SearchLight, which helps reputations and information.
CYBEREASON
F
ounded by a team of protection and response, incident on the end points that are looking at
former Israeli responses services, and has built a all sorts of differential data. So we
intelligence agency next-generation antivirus helping have applications profiled, we have
members in 2012, organizations prevent most types of users profiled, we look at the
Cybereason is an data heists. programs [a particular user would
information security use related to other users with the
The Cybereason platform, powered
startup based in same job role] and were constantly
by a custom-built in-memory graph,
Cambridge, Massachusetts with building profiles and looking for rare
works autonomously, monitoring
offices in London, Tel Aviv, and Tokyo. events of clusters of users, or users
enterprise security and detecting
It assists forensic analysts terminate across the whole enterprise, or even
behavioral patterns across all
Malops (a set of discrete hacker cross enterprise to see how various
endpoints while cutting the need to
operations with intermediate companies use different
employ a security analyst.
objectives). The company claims that applications, Cybereason VP Mark
it specializes in endpoint detection, We have collectors, agents that sit Taber told TechCrunch.

KICK
STARTERS
ZEROFOX
F
ounded in 2013 by a
Baltimorean team of
information technology
veterans, ZeroFOX
specializes in social
media security and
digital risk monitoring.
The companys cloud-based
Software-as-a-Service (SaaS)
platform parses millions of data
points across several social media
platforms on a daily basis protecting
businesses and government agencies
globally from all kinds of cyber- to Watch, Tech Council of Marylands following, support customers and
attacks. In fact, ZeroFox was one of Technology Company of the Year, and grow revenue. In response, malicious
the first companies that brought the the Security Tech Trailblazer of the actors are increasingly targeting
under-the-radar attack surface of Year. businesses by impersonating brands
social media into the limelight. and targeting customers to siphon
Social media and digital platforms
cash flow and tarnish brand
The firm has several accolades to its have become critical business
reputation, said James C. Foster, CEO
credit including SINET16 Champion, applications that all brands rely on to 53
of ZeroFOX.
Dark Readings Top Security Startups engage with their customers, build a
SILICON:SAFE
A
bootstrapped Silicon:Safe has thrown an open
startup founded in challenge to hackers asking them to
Cambridge in 2013 successfully hack the system for a
by two former handsome reward. According to
Citrix engineers, reports, there have been more than
Silicon:Safe offers 1.25 million unsuccessful hacking
hardware-based attempts.
solutions to protect usernames,
We think it is impossible to steal
passwords, biometrics, and other
usernames and passwords from our
sensitive or critical data. The
system, said Roger Gross, CEO and
company argues that if deployed, its
Founder of Silicon Safe, because of
password protection product would
our unique hardware solution We
have averted some of the high-profile
expect most experienced cyber
incidents and hacks like the hacks
experts and hackers to realize that
that hit Sony Playstation, LinkedIn,
they are unable to gain access to the
eBay, etc. Silicon:Safe was awarded best shot. There are no 'back doors or
data when they read the description
runner-up in the storage trailblazers administrator privileges to exploit,
of our solution, but for those who
award category for the 2014 Tech and no code to infect; crack it if you
think they can do it, we are offering
Trailblazers Awards. can!
them the opportunity to give it their

KNOWLEDGE
HUB
54
DEMYSTIFYING DARK WEB:

AN ORGANIZATIONAL POINT OF VIEW
By Souti Dutta, Lead Threat Analyst - SOC Services, Paladion

KNOWLEDGE
HUB
T
he Internet has become Exposes an organization to malware
an essential fixture in and botnet attacks: Individuals/groups
peoples life. Apart from that operate Exit Nodes or TOR relays
posting captured on a TOR network can abuse it by
moments on Instagram, turning it to a malware distribution
tweeting lifes point without the knowledge of the
experiences on Twitter, employee using it. Thus, leaving an
and browsing funny cat videos on organization network susceptible to
YouTube, the Internet can allow you to malware attack via received responses
travel beyond its surface to the deep, (wrapped with malware) from such
dark corners of the virtual world. Such rogue nodes. The Dark Web maintains
corners are generally termed as the CnC communication with the
Dark Web. organization, which creates further risk.
In recent years, there has been an Exposes an organization to DDoS
upsurge in interest and curiosity for the attacks: If employees turn their hosts
Dark Web. Frequent headlines on the into nodes, which participate in the
existence of hidden marketplaces that global Dark Web (e.g. Tor nodes)
serve as hotbeds of drugs, arms network, it can elevate the risk of
trafficking, fraud, hacking, etc., or the bandwidth exhaustion or DDoS-like
supposed freedom (anonymity) on the situation. The corporate network
Dark Web have lured the common man relaying large volume of Dark Web
into these dark virtual alleys. traffic is the primary reason for either
high bandwidth consumption or
The Dark Web has coexisted within the
bandwidth saturation.
Deep Web (a segment of WWW that is 55
opted out from being indexed and Allows employees to bypass security
unavailable through regular search controls: Traffic to the Dark Web is
engines like Google, Yahoo, etc.) for always wrapped in encryption, so
years. It is a digital space, particularly, monitoring of network traffic between
for carrying out malicious activities the originator and the destination host
with the cloak of anonymity. is hard to crack. This means employees
can freely view illegal sites, purchase
IS THE DARK WEB A contraband goods using corporate
GROWING CONCERN FOR resources with ease, etc. In addition, it
ENTERPRISES? allows employees to circumvent several
security controls without any extra
A study has estimated that only 0.03%
effort.
of sites on the internet fall under the
Dark Web category, which are 30,000 or Becoming the data exfiltration point:
less sites. However, its growing The Exit Nodes are susceptible to
popularity, ease of access and mass sniffing attacks, so if non-encrypted
adoption have created serious concerns data is out there, it can be captured and
among security practitioners. utilised in a malicious way. Internal
hosts participating in Dark Web
Anyone possessing a free piece of
activities can get infected with malware
software like Tor can gain access to the
that exfiltrates data, leaving the
Dark Web anonymously. In corporate
organization susceptible to data theft.
environments, where thousands of
employees access various IT resources, Employees turning rogue insiders: A
even a single exposure to the Dark Web recent study noted a new trend among
can bring down defences. Below is a cybercriminals where they spend
summarized list of risks accessing the considerable resources to recruit
Dark Web using tools like TOR can bring: insiders. The primary goal behind such

KNOWLEDGE
HUB
recruitment is to steal data, plant Stop internal users from a known consumer of self-signed
malware, enhance domain downloading, installing/running certificates (certificates not created
knowledge, etc. Tor: Tor (and other similar by recognized certificate
applications such as I2P) is the key to authorities). Such certificates allow
Loss of reputation: Organizations
gain access to the Dark Web. Users data encryption between clients,
can be held responsible for any illegal
should not have access to the Tor nodes or servers. Hence, blocking
activities carried out on the Dark
website from where they can acquire such outbound SSL traffic will not
Web especially hosting of Dark Web
the installer or a portable version of only meet the best practice
network nodes, which are involved in
the application. So, by deploying requirements, it will actively limit
transporting illegal data or in
application whitelisting and limiting exposure to the Dark Web.
activities such as hacking, DDoS
access rights, it is possible to prevent
attacks, spying, etc. Clear Policy on Dark Web/Tor usage:
running such applications. Controls
Along with implementing security
Blacklisting: An organization found on USB ports should also be
controls, it is important to ensure the
hosting Dark Web nodes can risk its implemented to prevent running any
corporate security policy talks about
IP being added to an Internet portable instance of such
accessing the Dark Web and usage of
blacklist, which can lead to applications.
proxy software (Tor). The updated
unnecessary restrictions from
Maintaining a known Dark security policy should clearly state
various service providers.
Web/Tor node list: The primary the imposed limitations and
reason behind maintaining a list of prohibitions on the access of the
LIMITING ACCESS TO DARK known Tor nodes is to limit any Dark Web using proxy software over
WEB FROM INSIDE THE outbound traffic to the Dark Web. An the corporate network and resources.
BUSINESS NETWORK explicit outbound connection deny to
User Awareness: Organizations
Preventing access to the Dark Web all such IPs (Exit Nodes) will
should conduct sessions where
and detecting instances can be a real minimise the live traffic destined to
56 employees and partners that use IT
challenge. There are currently no the Dark Web. It is also necessary to
services should understand the risks
readymade solutions to monitor and device an internal list of hosts who
related to the Dark Web.
stop such attempts. So, the solution were involved in generating traffic to
lays in a combination of security best those IPs / nodes. It is also necessary
practices, technology, user awareness to keep the node IP list relevant and
CONCLUSION
and a refined security policy on updated. One can utilise available The curiosity around the Dark Web is
usage of the Dark and Deep Web and feeds to capture such IPs. obvious but if this discovery is made
associated applications. Weve listed on a corporate network, it can make
Outbound traffic containing self- an organization vulnerable to cyber
a few recommendations below:
signed certificate data: Dark Web is attacks. Employees unwittingly use
the Tor network as a proxy to
circumvent blocked sites, etc. It is
important for employees to be
educated about the risks such proxy
software can bring to the
organization to prevent risks the
Dark Web can bring.
Organizations should also monitor all
virtual activities by employees
regardless of seniority or technical
expertise within the corporate
environment to ensure optimal
cybersecurity.
The opinions expressed within this article are the
opinions appearing in the article do not reflect the
views of CISO MAG and CISO MAG does not assume
any responsibility or liability for the same.

VIEWPOINT
TRUST THE CLOUD AND

CARRY YOUR UMBRELLA
Aseem Ahmed, Sr. Product Manager - Cloud Security, Akamai Technologies
57
A
s more and more organizations surveyed. The same set Many studies and research
companies begin of organizations predicted that in the conducted across the years focus on
to comprehend the next 15 months, around 80% of all understanding the true nature of
benefits of cloud information technology (IT) budgets threats that target cloud
computing, its will be dedicated towards cloud infrastructure. If you pay close
adoption is solutions. As the cloud foothold attention to these, you will realize
probably highest expands globally, so does the attack that cloud is hardly the target, it is
than ever before. According to the surface. With more organizations what lies within. That is your data
research done by Intel security, in showing trust in cloud technology, and applications. This is not a new
2016, hybrid cloud adoption has security still features as a top problem, this has and will always
increased by three times within the challenge that they would face. exist.

VIEWPOINT
As more and more sensitive data prevalent now is the lack of skilled security continues to limp without
moves to the cloud every day, we security resources. Many the right support of necessary
seldom realize that with organizations delay moving to cloud governance practices. The prudent
disappearing boundaries appear new due to lack of appropriately skilled man rule applies to us more than
privacy and data protection laws. cybersecurity workforce. In-house IT ever. We are responsible and
Interfaces and APIs, shared teams arent equipped with the right accountable for the security of our
technology and multi-tenancy tools and knowledge to fight newer businesses, whether in cloud or
nature, identity management, lack of battles on newer grounds. within company premises.
adequate encryption, etc., are some Conventional security practices dont
Good news is that there is a silver
issues that have featured long in the hold good as your perimeter now
lining behind the cloud. As the trust
list. Compliance is an ongoing extends beyond your sight.
and mindset matures, security
concern for top executives, security
While cloud expands the attack practices and awareness have grown
practices of cloud service providers
surface and overall risks, as well. Many organizations
(CSPs) are often reviewed on papers
organizations must truly understand worldwide actively carry out and
but rarely audited by experts. Market
that as business owners, they are still participate in raising the cloud
prominence and word of mouth
responsible to ensure that risks are security awareness as well as
publicity play an influencing role in
addressed. It is essential not only to standardizing the best practices to
choosing the cloud vendor and most
embrace cloud for business but also adopt for securing the cloud
often flexibility and cost are given
for security, it must become an computing environment. Security
preference over security. Technical
integral part of the organizational executives should pay close attention
measures alone arent subnormal.
security culture. Unfortunately, to the following:
Legal contracts need to evolve for
many organizations either dont
cloud nuances and risks as well. One Security policy and governance
cover cloud as part of their security
of the factors that has been framework: establish strategy and
policy or have merely listed it. Like
58 constantly undermined but more practices to support cloud security.
any other aspect of security, cloud

VIEWPOINT
59
Empower security practitioners to be pioneered this by building and businesses. Costs should not be a
decision makers for cloud resources. securing separate key management challenge in the long run.
infrastructure.
Audit the security controls: Dont Redefine traditional risk
rely on the proof of cloud vendors Focus on sensitive data: it is your assessment: generic or traditional
security measures alone, have priceless possession. Classify it and risk assessment frameworks have
experts test and audit it. 3rdparty clearly define roles and ccountability proven to be partially effective for
assessment is usually more for safeguarding sensitive cloud deployments. Risk assessment
beneficial. Audit them regularly. information stored in the cloud. should consider cloud as an integral
asset.
Invest in building security skills: Insure your legal rights: Have the
train right and hire right. Many right legal and contractual clauses According to Gartner, 2017 will see a
organizations now find managed especially designed for cloud growth of 18% in the worldwide
security services as a valuable option infrastructure. Ensure that it covers public cloud services. The expansion
to bridge the security skill gap by clauses regarding data security and is inevitable and as security
letting experts handle their security. privacy compliance. professionals, we all need to be ready
for a rainy day. Do your due diligence,
Redefine technical measures: Invest in the right tools: beat the
trust the cloud and carry your umbrella.
implement more robust technical cloud with the cloud and not a sickle.
measures such as storing encryption A number of organizations find cloud The opinions expressed within this article are the
keys separately in the hardware. security solutions to be effective, opinions appearing in the article do not reflect the
Companies like Akamai have scalable and beneficial to their views of CISO MAG and CISO MAG does not assume
any responsibility or liability for the same.

PROFILE
THE SHIFTING
ENVIRONMENT OF
NETWORK SECURITY
Bhaskar Agastya, Country Manager, Ixia
60
T
he world of threats speculation to reality. Users and were linked to U.S. presidential
expanded dramatically organizations got direct experience election results. That was a lot to take
in 2016and not just with ransomware as attacks targeted in one year.
because of an increase nearly every mobile and desktop
Todays threat landscape demands
in the amount of operating system (OS)and the
multiple proactive security systems
malware. ransomware moved from the hands
throughout the network for a strong,
Organizations are of elite programmers into the hands
layered security posture. These
dealing with larger attack surfaces. of novice hackers. State-sponsored
proactive security devices, like
Exploits of Internet of Things (IoT) cyberattacks had a larger impact
firewalls, next-gen firewalls, web-
devices have transitioned from than ever, as Russian cyberattacks

PROFILE
application firewalls and intrusion switch and sent on to the network. BreakingPoint Virtual Edition:
prevention systems (IPSs) all require Provides real-world application and
Ixias decade of history in inline
inline deployment in the network. threat simulation for complete
security also provides several key
But the introduction of multiple performance and security testing,
capabilities to this deployment
inline security systems raises and its elastic deployment model
which are not available elsewhere in
concerns and questions about allows you to achieve security
the industry. Ixias inline solution
network uptime, performance, resilience without sacrificing
separates the key inline component,
operational ownership, security scalability or flexibility. Customers
the bypass, for maximum reliability
flexibility, and overall costs. can quickly deploy and scale
and availability. The NPBs provide
BreakingPoint VE across geo-diverse,
Ransomware has become the application and geography-based
enterprise-wide networks, thanks to
hackers favorite tool to make money traffic filtering to greatly increase
its elastic and shareable virtualized
in the cybercrime economy. The control over traffic, and offer the
test capabilities. By taking advantage
latest global ransomware attack most powerful user interface
of its flexible test functionality, you
appears to be a complex attack based available. Ixia's solution also offers
can quickly acquire the tools you
on several ransomware families as very low latency versus other NPBs
need, as well as scale up and scale
well as multiple vectors. It has on the market, ensuring maximum
down in accordance with a projects
affected companies worldwide performance.
unique demands. And the
including utilities and oil companies,
Ixia security test solutions provide subscription sales model reduces IT
shipping companies and airlines, and
customers with advanced insight operational expenses while
financial institutions. All this points
into the performance, security and maximizing existing security
to the clear fact that organizations
stabilityresiliencyof investments for significant bottom-
need to protect themselves from
applications, devices, networks and line benefits.
future breaches by implementing
data centers under high-stress
preventive measures. ThreatARMOR: cuts straight to the
conditions. Security testing has 61
core of the problem by automatically
become a critical need for
NEED FOR INLINE enterprises, government agencies,
blocking much of the network
SECURITY FRAMEWORK communication that malware needs
service providers and equipment
Ixias Inline Security Framework is an to download instructions or transmit
manufacturers world-wide.
industry-proven solution for sensitive data. It prevents network
Customers are increasingly reliant on
deployment of multiple inline probes, phishing clicks, and all traffic
Ixia's security test solutions,
security tools that improves overall to and from untrusted countries. This
including BreakingPoint, IxLoad and
network availability, performance, reduces the risk from attacks such as
Application and Threat Intelligence,
and operational functions, while zero-day ransomware mutations
to enable faster and more
providing greater security flexibility along with up to 80% of the
sophisticated network and security
and resilience, and lowering overall malicious connections that threaten
devices, and virtualized
costs and personnel workloads. The the network and generate floods of
infrastructures.
Ixia Inline Security Framework security alerts. Ixias ATI Research
utilizes bypass switch and packet Center provides an always-on stream
IXIAS SECURITY of geolocation and threat intelligence
broker technology to create a high SOLUTIONS HELP YOU STAY
availability zone in the network, for ThreatARMORindividually
where inline security tools can be
ONE STEP AHEAD OF validating every single blocked IP
deployed for optimal availability, ATTACKS address, every single day. Detailed
security, and flexibility. Data enters BreakingPoint: Simulates real- Rap Sheets provide clear, on-screen
from the red or untrusted network world legitimate traffic, distributed proof of malicious activity for all
and is sent via the bypass switch up denial of service (DDoS), exploits, blocked sites to mitigate the risk of
to the network packet broker (NPB), malware, and fuzzing, BreakingPoint false positives.
where it aggregates traffic, load validates an organizations security
balances across security tools, and infrastructure, reduces the risk of This sponsored article is provided by Ixia. The opinions
expressed within this article are the personal opinions
provides application-level filtering to network degradation by almost 80%, of the author. The facts and opinions appearing in the
improve tool utilization. The data is and increases attack readiness by article do not reflect the views of CISO MAG and CISO
MAG does not assume any responsibility or liability for
then sent back through the bypass nearly 70% the same.

COLLABORATIONS
62
FO S EC
IN ERSHIPS
PARTN
COLLABORATIONS
In an age where cyber threats are becoming

vast and frequent and the business landscape
is evolving, it is imperative for the CISOs to
take a strategic leadership role and adopt a
collaborative and inclusive approach. An
acquisition or a collaboration can serve several
purposes for organizations, right from
propelling them into new markets to
strengthening their critical IT infrastructure to
sharing information for turning knowledge
into action. These partnerships can be the
most difficult, challenging, or chaotic events,
but can represent the ultimate change for a
business. In this segment, we take a look at
some notable collaborations and acquisitions
in the cybersecurity domain.
63
CISO MAG staff
partnerships include IBM X-Force
CISCO AND IBM JOIN and Cisco Talos security which will
FORCES TO FIGHT share intelligence and data to
CYBERCRIME prevent attacks.
Cisco and IBM recently collaborated Cisco will build new applications for
to fight global cyber threats. The two IBMs QRadar to help experts analyze
information technology giants and effectively respond to threats
signed an agreement to integrate when working with Cisco's Next-
Cisco security solutions with IBM's Generation Firewall (NGFW),
QRadar to protect organizations from Next-Generation Intrusion Protection
various threat vectors. Under the System (NGIPS), Advanced Malware
agreement, IBM Global Services will Protection (AMP), and Threat Grid.
support Cisco products in their
Managed Security Service Provider IBM's Resilient Incident Response
(MSSP) offerings. Other key Platform (IRP) will integrate with

COLLABORATIONS
64
Ciscos Threat Grid to help security together. During the infamous from Israel, had reported in May that
staff manage incidents more quickly. WannaCry ransomware attack that the deal would be cracked for $100
To address the growing hybrid cloud crippled nations across the world, million.
market, IBM's Managed Security Cisco and IBM shared intelligence to
The acquisition aims to help
Services team will extend its support fight the threat. Their teams
Windows 10 users detect, respond to,
to Cisco security platforms in public monitored the spread of the malware
and prevent network attacks.
cloud services. and constantly exchanged insights
Windows 10 currently offers
with one another.
"By combining Cisco's Windows Defender Advanced Threat
comprehensive security portfolio Protection (WDATP), a program that
with IBM Security's operations and
MICROSOFT ACQUIRES has proven useful in detecting
response platform, Cisco and IBM CYBERSECURITY FIRM several advanced network threats,
bring best-of-breed products and HEXADITE zero-day attacks, ransomware, etc.
solutions across the network, Microsoft announced the acquisition According to Microsoft, adding AI
endpoint and cloud, paired with of Hexadite, a cybersecurity will make response and remediation
advanced analytics and orchestration company that provides artificial faster and more effective. At present,
capabilities," said David Ulevitch, SVP intelligence (AI)-enabled automated WDATP protects almost 2 million
and general manager, Cisco Security. responses to cyberattacks. The devices. With Hexadite, Microsoft
financials details of the acquisition will include endpoint security
This isnt the first time the two
were not revealed by the firms, but automated remediation to WDATP.
technology giants are working
Calcalist, a financial news website

COLLABORATIONS
Our vision is to deliver a new

generation of security capabilities BICS ENTERS AGREEMENT TO ACQUIRE TELESIGN
that helps our customers protect,
detect and respond to the constantly
CORPORATION
evolving and ever-changing BICS, a provider of wholesale connectivity and interoperability services,
cyberthreat landscape, said Terry entered into an agreement to acquire TeleSign Corporation, a company
Myerson, executive vice president, specializing in authentication and mobile identity services to the
Windows and Devices Group, Internet and digital service providers, for $230 million. With the
Microsoft in a statement. Hexadites acquisition, TeleSign cloud communications platform would now be
technology and talent will augment backed with BICSs global reach, creating the worlds first end-to-end
our existing capabilities and enable CPaaS provider. The tie-up aims to utilize TeleSigns advanced cloud
our ability to add new tools and communication platform with BICSs world-wide influence to enter
services to Microsofts robust newer sectors.
enterprise security offerings. TeleSign, a Marina del Rey startup, has been pivotal to the security and
The acquisition of Hexadite is a part integrity of several top smartphone apps. For TeleSign, utilizing BICSs
of Microsofts initiative to invest infrastructure would cut down the expenses of leasing bandwidth and
more than $1 billion annually in help increase profits.
cybersecurity research and Weve been in the drivers seat of our industrys transformation, and
development. Earlier this January, weve built a solid business of over 1.5 billion euro ($1.6 billion) in yearly
Microsoft also invested in another turnover, with the ambition of bridging the telecom world with the new
cybersecurity firm, Team8. and innovative communications providers worldwide, said Daniel
Post the acquisition, Hexadite team Kurgan, chief executive officer of BICS.
will be fully absorbed into Companies are moving from legacy to cloud communication. The new
Microsoft's Windows and Devices partnership leverages this trend. IDC forecasts that the worldwide 65
group. communications platform-as-a-service market will grow from $867
million in 2016 to $8.2 billion by 2021.
PALO ALTO NETWORKS
The acquisition currently is subject to regulatory approval and could
ACQUIRES LIGHTCYBER close in the third quarter of the year, reported Los Angeles Times. TeleSign
FOR $105 MILLION would operate as a subsidiary of BICS, and will retain Aled Mies as CEO.
Cybersecurity giant Palo Alto BICS CEO Daniel Kurgan will be appointed as chairman to TeleSign.
Networks completed the acquisition
of LightCyber, an Israel-based
cybersecurity firm. Founded in 2011
by Giora Engel and Michael otherwise undetected and often very attack. Technology from LightCyber
Mumcuoglu, LightCyber specializes sophisticated attacks inside the using its machine learning
in behavioral analytics using network is well-aligned with our techniques cuts down the dwell time
machine learning and behavioral platform approach," said Mark significantly and minimizes damage.
anomalies. LightCyber is currently McLaughlin, chairman and CEO of
LightCyber also claims that its
headed by Chief Executive Officer Palo Alto Networks.
Behavioral Attack Detection
Gonen Fink. The deal has been inked According to McLaughlin, technology platform LightCyber Magna produces
for $105 million in cash, which is from LightCyber will complement fewer false alerts. Over 62% of all
approximately three times its capital automated threat prevention Magna alerts and 99% of confirmed
investment. capabilities of Palo Alto. For example, alerts are investigated, remediated,
Palo Alto Networks will offer an organization takes approximately or deemed useful by Magna
LightCyber products and support five months to discover malicious customers. Investors in LightCyber
existing customer implementations. activity from a network attack. This include Battery Ventures, Access
"The LightCyber team's vision to period of five months is called the Industries, Amplify Partners and
bring automation and machine dwell time. During the dwell time, Israel-based investors Glilot Capital
learning to bear in addressing the the attacker can initiate data Partners, Shlomo Kramer and Vertex
very difficult task of identifying exfiltration and other modes of Ventures.

TECH
TALK
BUG BOUNTY PROGRAMS:

CLOSING SECURITY GAPS
Tari Schreider, Chief Cybersecurity Strategist and Author, Prescriptive Risk
Solutions, LLC
66
for finding bugs in code. With few companies like Google and Facebook
WHAT IS A BUG BOUNTY exceptions, programs pay cash for that pay out millions of dollars
PROGRAM? results. Once a bounty hunter annually.
Bug or hacker bounty programs go by submits proof of a vulnerability and
Today, several thousand companies
several names including the company sponsoring the
offer a bounty program. HackerOne
vulnerability reward program, flaw program validates, cash is paid.
maintains what they claim is the
disclosure, and hacker Programs come in all sizes from
most exhaustive list of known bug
crowdsourcing. They all have one small software companies who rely
bounty programs.
thing in common: they pay people on voluntarily bug finding to large

TECH
TALK
How a program essentially works is The following are several bounty programs that standout from the crowd:
you invite people to attempt to
penetrate your network, web sites,
etc. If they find a vulnerability, they COMPANY BOUNTY
document the flaw, you verify it, and $200,000 for highest category of
then issue a payment based on the Apple
bug secure boot firmware bugs.
conditions of your bounty. Easy
peasy. Donations to charities in
Google
conjunction with bounties.
BUG BOUNTY PROGRAM
BUDGETING Pilot bug bounty program of
Budgeting for a bounty program is a $150,000 for hackers in return for
Hack The Pentagon
risk-based proposition. Ask yourself, the vulnerabilities they find in its
what would it cost to fix a bug in public facing websites.
production versus development or
testing? Next, determine if that has Kraken Payments made in bitcoins.
ever happened, I am sure it has. Keep
in mind that you only pay for Submit a chain of bugs to receive a
Netgear
successes in a bounty program. How bonus.
much does it cost to keep a team of in-
house security testers employed to Payments made to a PayPal
PayPal
find minimal bugs? account.
You can design a bounty program Hacker loyalty reward program and
around any budget, even free, well Uber
bug treasure map. 67
almost you still have to pay for
using the platform. Bounty hunters United Airlines 50,000 to 1 Million award miles.
want to make a name for themselves,
so some will work with programs
that only provide kudos for finding
program? In my experience, my essential strategy to fast-path
bugs. This goes toward building their
clients that have compared results of security testing of public facing
reputation and goal of becoming a
in-house testing versus a bounty critical code.
much sought after super bug hunter.
program has stated that bounty
Consider structuring your program programs were far more successful in UNIQUE BUG BOUNTY
around the priority rating of the bugs finding critical code flaws fast. The PROGRAMS
found. You may feel you want your two main reasons are one, internal Bounties paid by companies can
bounty dollars to go only toward security testers do not think like average from $200 to $200,000;
finding critical bugs and not those hackers and two, the shear metric however, an average reported by
that pose an acceptable risk. tons of hacker brainpower who are bugcrowd was $505.79. With a
Marketing can also kick in some financially motivated to find bugs. growing number of bounty hunters
money for the program, as it is a way and bounty platforms, companies are
Penetration testing has become too
to promote your company as doing looking for ways to gain notice by the
bureaucratic with lawyers, contracts,
the right thing. industrys top bug researchers.
rules of engagement, etc. I have seen
many penetration testing projects United Airlines, for example, offers
PENETRATION TESTING VS. take weeks or months to negotiate all frequent flyer miles.
BUG BOUNTY PROGRAMS while a bug bounty program at I suggest you work with your
Bounty programs have introduced an similar companies finding dozens of organizations marketing department
interesting argument, should I bugs in that same period of time. to come up with a unique and
reduce my security testing staff and Now I am not advocating eliminating noticeable bounty payment to attract
essentially outsource my security penetration testing from the mix, but the best bug researchers. You
testing through a bug bounty rather that you consider it as an

TECH
TALK
certainly do not want to do what hat hackers and professional security If you are just looking for a list of bug
Yahoo did in 2013 and offer t-shirts vulnerability researchers. bounty programs, checkout
to bug hunters for finding critical bugsheet. This site offers a curated
Bugcrowd can manage your program
bugs in their code. This touched off list of over 370 programs offering a
through a number of programs
such a hail of negative press against collective 150 bounties.
ranging from public (collective of
Yahoo the press referred to the
thousands of hackers and
incident as t-shirt gate. So a word to
researchers), private (invite only
EVOLUTION OF BUG
the wise, really think through what BOUNTY PROGRAMS
researchers) or on-demand (project-
message your bounty program sends. Bounty programs have been around
based invited researchers).
for many years. Jarrett Ridlinghafer
BUG BOUNTY & Bugcrowd provides a template for while working at Netscape in 1995
DISCLOSURE PROGRAMS branding your bounty page, handles established the first bounty program.
A great way to model your bug bounty payment, performs bug He also coined the phrase Bugs
bounty program is to view what reporting triage and validation as Bounty.
other organizations have well as provides comprehensive
reporting on your program. Programs have progressed from
implemented. Thanks to bugcrowd
casual in-house programs to
and HackerOne, you can view nearly Bounty programs are effective and sophisticated managed programs
2,000 with just a click of your mouse. indispensable to your SDLC or attracting only the highest profile
Bugcrowd maintains an updated list DevOps operations. HackerOne and bug hunters and everything in
on bounty and disclosure programs Detectify are two other bounty between. Bounty hunting has
with direct links to respective platforms you may wish to compare become an industry with providers
program sites. to bugcrowd. Bounty Factory is a ranging from hunters who just triage
Think of this as security European-based platform that code with vulnerability scanners
crowdsourcing of thousands of white focuses on EU rules and regulations looking for low hanging fruit
68
related code flaws.

TECH
TALK
counting on the fact the sponsoring

company never bothered to scan WHAT TYPE OF BUGS ARE FOUND?
their own code to professional bug
Bugcrowd reports the following types of critical bugs found by
researchers.
their researchers:
Bounty hunting has also created a
new breed of super hunter who
devote their full-time energies to Mobile_ Net 0.30%
finding bugs as a profession.
SQLI 1.30%
BUG BOUNTY PROGRAM
TIPS Clickjack 2.90%
1. Brand your program marketing
matters and bounty programs attract
public attention. CSRF 8.20%
2. Make your program payout
unique you want to attract the XSS 19.90%
most experienced bug hunters.
3. Use a commercial bounty Other 67.70%
program management platform
do not reinvent the wheel.
4. Clearly document the types of
bugs you are willing to pay 7. Integrate the bug bounty in little to no value, many researchers
ambiguous hunter instructions leads 69
DevOps focus on finding bugs in do not read the bounty guidelines.
to wasted time and money. development.
10. Expect your network probing
5. Scan your code before releasing it 8. Carefully document dupe flaws once the bounty is announced,
for bounty you do not want to pay the fastest way to tank your bounty researchers will start probing your
for bugs you should have caught. program is to issue the kirk response network. You know bug bounty
6. Structure a loyalty program to dupe without proof. programs have arrived when the
attract the best bug hunters build federal government announces their
9. Expect poor submissions over
a rapport with your star hunters. intentions to start one.
90% of bounty programs will have
CONCLUSION
Bug bounty programs are a great
strategy to include in your arsenal of
secure coding and testing processes.
They provide a vulnerability
perspective that in-house programs
typically cannot. These programs are
ideal for due diligence and fast-
pathing testing on highly visible and
critical web sites. Invitation only
bounties have approximately twice
the success rate as public bounties
due primarily to the quality of the
bug researchers attracted, but they
do cost more. Overall, this is
something to consider in your mix of
cybersecurity program practices.

AD_Layout 1 7/10/2017 1:41 PM Page 70
AD_Layout 1 7/10/2017 1:41 PM Page 71
AD_Layout 1 7/10/2017 1:43 PM Page 72

Ciso Mag July 2017

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ciso Mag July 2017

Încărcat de

Drepturi de autor:

Formate disponibile

AD_Layout 1 7/10/2017 1:29 PM Page 2

AD_Layout 1 7/10/2017 1:29 PM Page 3

With the fabric of our society

CISO MAG is honored to have an Advisory Board that

Curtis is a proven technologist with over 25 years of experience in cybersecurity/defense,

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

TAKEAWAYS FOR CISOs

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

You have had such an illustrious

During the course of your

CISO MAG | July 2017

youngsters to take it up and be

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

and analyze a breach. Not

CISO MAG | July 2017

CISO MAG | July 2017

One of the key areas that needs to 25

THREATS AND stakeholders still lack an

VULNERABILITIES Immaturity and poor definition of

CISO MAG | July 2017

leave room for risks. Without a more conflicting or overlapping

DATA AND PRIVACY

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

CISO MAG | July 2017

they take information and they tuck

CISO MAG | July 2017

CISO MAG | July 2017

In a business landscape characterized by dynamic trends and events,

CISO MAG | July 2017

JD SHERRY APPOINTED AS CRO OF REMEDIANT

ABILITY INC. ANNOUNCES NEW DIRECTORS

CISO MAG | July 2017

STEFAN MAIERHOFER JOINS FORCEPOINT FOR EUROPE OPERATIONS

CISO MAG | July 2017

Due to several data breaches in 2017, cybersecurity is a buzzing topic.

WANNACRY WREAKS HAVOC

CISO MAG | July 2017

FEDERAL PROSECUTORS LIED IN

CISO MAG | July 2017

DISNEYS FITTING REPLY TO

BELL CANADA GETS ATTACKED

CISO MAG | July 2017

UKRAINE WITNESSES ITS BIGGEST

CHINA CYBER LAW TAKES EFFECT

CISO MAG | July 2017

HACKER PULLS DOWN ONE-FIFTH OF

FRENCH ELECTIONS HIT BY HACKING

CISO MAG | July 2017

SOUTH CHINA SEA ROW AND HACKS

TRUMP CYBERSECURITY ORDER

CISO MAG | July 2017

CISO MAG | July 2017