Spectre and Meltdown – UM Labs R&D Status
2018 started badly with announcements of two chip level security issues, Spectre and Meltdown. These are serious issues; their potential impact has reached the level where each has its own logo.
Both problems arise from design flaws in Intel, AMD and ARM processors. The flaws potentially allow one application to read the memory used by another application, or in the case of Meltdown for a user level application to read memory used by the operating system. This could expose passwords or even encryption keys to a malicious application.
Meltdown is exclusive to Intel CPUs. The flaw has existed since 1995. Exploits for this flaw have been published. In response, Intel issued a press release stating that their processors worked as designed, but this attracted a highly critical response from Linus Torvalds, creator of the Linux operating system. In an email on the 3rd January Linus wrote:
I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.
.. and that really means that all these mitigation patches should be written with "not all CPU's are crap" in mind.
Or is Intel basically saying "we are committed to selling you shit forever and ever, and never fixing anything"?
Spectre affects Intel, AMD and ARM processors. It is much harder to exploit than Meltdown. At the time of writing only limited attacks have been demonstrated.
The UM Labs R&D RTC Cyber Security OS runs on Intel or AMD processors. We have carefully assessed the impact of both Spectre and Meltdown and can reassure users that none of our systems are vulnerable to an attack based on these flaws. Our systems run hardened and ring fenced on Linux as a layer in Private, Public or Hybrid cloud implementations. Access to the operating system is restricted and there is no mechanism that would allow malicious code to be introduced on to the system. All patches and updates are protected and validated using a cryptographic checksum.
The Linux community is working on updating the kernel to protect against Meltdown and Spectre. Some experimental patches to protect against Meltdown are already available; however there have been some reports that these patches can slow down a system by up to 30%. As the layered security in the UM Labs R&D OS prevents any known exploit of Meltdown or Spectre and as the patches are still experimental, we will not immediately apply these patches. However, we are continuing to review this situation and will issue an update for all supported systems when we are satisfied that the benefits of applying the patches outweigh the risks.
The level of publicity generated around the European Union's General Data Protection Regulation makes it difficult to ignore the fact that GDPR comes into full force in 2018. There are numerous seminars and conferences dedicated to the topic. However the majority of these events focus on traditional data processing applications. There is little or no focus on the application of GDRP to real-time communications.
Real-time communications (RTC) encompasses everything from a company's internal phone system to the new wave of Unified Communications applications. These services increasingly operate over IP networks. GDPR specifically includes these services within its scope.
Studies have shown that many IP phone systems and UC applications are poorly protected and are vulnerable to threats such as call fraud and information leakage. While a call fraud attack can be expensive racking up high levels of charges in a short period, leakage of personal information can be considerably more costly incurring a GDPR penalty of 4% of annual turnover. The risk associated with real-time communications systems magnifies when those systems have external connections. External connections such as links to remote users and connections to service providers are necessary to gain the full value of the RTC system. Deploying standard perimeter security measures, such as general purpose firewalls is not an effective countermeasure as these products are unable to detect and block the sophisticated application level attacks targeted at RTC systems. This includes firewalls which claim to be SIP Aware or which have SIP Application Level Gateways. The Session Initiation Protocol (SIP) drives standards based RTC systems. Problems with SIP ALGs have lead the UK's NICC (an organisation developing interoperability standards for public communications networks) to call on firewall vendors to disable SIP ALGs by default.
The effective protection of RTC systems against known cyber security threats requires specialist security technology which is able to detect and block these threats. Any organisation failing to implement effective security for their RTC systems and suffering a security breach as a result of this failure will be liable for a penalty under the terms of GDPR.
Many organisations within the financial services sector face a further challenge when selecting technology to secure their communication systems. In January 2018, MIFID II comes into force. Among other requirements, MIFID II states that selected communications must be recorded and archived in form that can be replayed. GDPR recommends the use of encryption to secure communications, applying encryption to meet GDPR requirements significantly complicates meeting MIFID II requirements.
Fortunately there is a solution. The UM Labs R&D RTC Cyber Security OS running as a service in any cloud is designed to protect all standards based Real-Time Communication services. It has been extensively audited and tested and shown to implement the technical compliance recommendations published by the European Union Agency for Network and Information Security (ENISA). Implementing these recommendations provides a solid foundation for GDPR readiness. Recognising that GDPR is only one aspect of the compliance picture, the UM Labs R&D RTC Cyber Security OS provides a policy driven call capture service which is able to pass call recordings securely to the organisation's preferred archiving platform.
GDPR Ready today.
It is accepted practice that any private network accepting external connections should have good perimeter security to protect the systems connected to the private network from attack. The networks tested by UM Labs included an Oracle Enterprise Session Border Controller (SBC) and Audio Codes SBC's. The SBC's provided the connection point from the SIP trunk provider. This SBC's are widely deployed as a perimeter security devices and white labelled by other vendors including, BroadSoft, Avaya, others.
UM Labs tested the perimeter security of this SBC's by running a number of security tests including:
A series of standard protocol conformance tests designed to determine the target system's ability to detect and block protocol level attacks which could lead to a denial of service condition, system misuse or penetration of internal systems.
A series of customised tests designed by UM Labs to detect application level vulnerabilities.
A series of flooding tests designed by UM Labs to test the response to a sustained attack.
SIPVicious, a widely used open source tool used by attackers to detect and identify VoIP systems.
The SBC's rejected virtually all of the messages sent as part of these tests which initially appeared to be a good result.
However more detailed investigations showed that these messages were rejected because the SBC's were configured to accept VoIP protocol requests from only one IP address, the address of the SIP trunk provider's system.
To prove this, the tests were repeated using a spoofed IP address so that all test traffic appeared to originate from the SIP trunk provider. Under these test conditions, these SBC's accepted a significant proportion of the test traffic and forwarded it to internal system.
The tests that passed through the SBC's under these conditions included:
Approximately 50% of the standard protocol conformance tests.
All requests sent in multiple flooding tests.
All SIPVicious tests
In all cases where the SBC's accepted and forward messages sent as part of the test, these messages reached internal systems. This means that those internal systems had no effective perimeter protection. The only security that the SBC's provided was a basic IP source filter.
The very limited security provided by the SBC's are redundant because in the current configuration where all traffic originates from a MPLS connection, all inbound traffic will have the same source IP address. Applying additional source IP address filters on the SBC's have no real effect. If the end-user organisation needs to allow additional inbound connections, for example allowing remote workers to connect into the call centre, then the SBC's IP address filters will need to be relaxed leaving the internal systems with no effective security protection.
Compliance issues and that businesses are subject to a growing number of compliance requirements. European regulations include GDPR and MiFID II covering the financial markets and That GDPR personal data processing covers integrity of electronic communication networks and services. Guidelines published by the European Union Agency for Network and Information Security, ENISA specifically include UC services within the scope of these articles. The ENISA guidelines identify a number of security measures that are not met by the systems audited by UM Labs R&D. The audited system fails to implement many of the ENISA recommended security guidelines and the need for MULTI-LEVEL attack protection for which the SBC's were never designed.
The impact of MiFID II on existing call recording regulation,
The recording of calls on both fixed line and mobile phones has been an FCA requirement since 2011 in the UK, but until today has been limited to a relatively specialist community within the equity and bond trading sectors.
Under MiFID II, the scope for recording conversations between a firm and its customers increases significantly.
It takes existing call recording regulations and expands them in a few important ways:
• The requirements for recording telephone calls currently only apply to the conversations of individuals directly involved in trading, but under MiFID will broaden to include anyone involved in the advice chain that may lead to a trade.
• As a result, both the number of firms and the number of staff within the firm that need to record conversations will increase by around a factor of 10.
• It covers not only the companies and people, but also the premises in which these telephone calls or conversations take place.
• MiFID II will require all "communications that are intended to lead to a transaction" to be recorded and retained, rather than the previous, narrower mandate of "client orders and transactions."
• These recordings will need to be stored for longer: from six months under today's regulations to a minimum of five years under MiFID II. Although most regulated UK firms already go beyond this and retain five to seven years of records for best practice or to comply with Tax Authority rules, it will now be mandatory.
• Maintaining records of the highest voice quality is increasingly important, since market abuse is one of the most difficult offences to investigate and prosecute. Good quality recordings of voice conversations and of electronic communications can assist both firms and the regulator in detecting and deterring inappropriate behaviour.
• The mere recording of conversations is no longer sufficient, and instead firms need to proactively review the records of all transactions and orders subject to these requirements, including relevant conversations, to monitor compliance with the MiFID II requirements.
Firms will be expected to demonstrate to the relevant national regulators the policies, procedures and management oversight of these recording and monitoring rules are in place. The monitoring is specified as risk-based and proportionate.
The UK followed six months later, mandating from November 2011 that all conversations between traders, whether on fixed or mobile phones and including voice and SMS/IM, were to be recorded.
Since 2011 the FCA does not discriminate between landline and mobile calls, so a good call recording solution will be able to securely store transactions made on both.
In the UK, the FCA has mandated the recording of fixed-line telephone calls since 2009, both to reduce the risk of insider trading and also to provide greater transparency to the compliance function within trading firms.
But the recording of mobile phone conversations presents some significant challenges around data privacy. At the same time that MiFID II becomes law, another piece of Europe-wide legislation known as the General Data Protection Regulation (GDPR) comes into force. The GDPR will replace the 1998 Data Protection Act, and will strengthen the protection given to individuals with respect to the data that organisations capture and hold about them.
Under GDPR, firms face much higher fines for data misuse than current penalties under the UK Data Protection Act - a potentially vast 4% of their total worldwide turnover. For this reason, it is critically important that they consider their recording policies for MiFID II within the context of data privacy legislation to prevent potential intrusions into privacy.
GDPR requires a minimum of cyber security protection with Encryption for all transactions at rest, plus in transfer and MiFiDII the ability to have call capture and record where by legal intercept can be obtained. So now to achieve MiFiDII and GDPR, the call capture must be recorded and encyted.
In the case of mobile phones, where one device is often used for both business and person data, firms will need to carefully consider whether there is any viable way to ensure business calls are recorded without also recording personal calls. Even if the recording is never listened to, the organisation is at risk of a breach of GDPR as personal calls could be classed as 'sensitive personal data'.
It is therefore essential to consider the role of management oversight in all aspects of MiFID implementation, since MiFID II sets out expectations on firms having robust oversight on the infrastructure that regulated users are using to collaborate with their customers. As such, firms should maintain a record of those individuals who are using both company-provided and privately-owned mobile devices that have been approved for use by the firm.
Furthermore, it is important to note that the regulations are not simply about recording conversations on such devices, but also conversations on both company-provided and privately-owned devices or thus using a fully compliant device and service.
Mobile recording- While the UK was the first country in Europe to mandate the recording of fixed line calls, it was Norway that first required traders to also record conversations on mobile devices.
Earlier solutions to this requirement were based upon premises-based equipment which would connect to the firms' physical voice network, or telephone switch, and record conversations where appropriate.
However, as more organisations are adopting cloud-based services, including the storage and management of call recordings, firms are looking for cloud-based call-recoding services that do not require any physical equipment on site. Furthermore, as staff are becoming more geographically diverse, and frequently work from home, the firm needs to ensure that calls to fixed-line telephone numbers are recorded no matter where staff may be working, across any location and all types of device.
UM-Labs R&D with partners such as ATOS/Bull and their Hoox devices and HooX services take into consideration existing technology investment and provides full compliance between MiFiDII and GDPR, plus passed via ENISA.
In the February 15th issue of his Crypto-Gram newsletter, Bruce Schneier wrote an in-depth analysis on need for securing the Internet of Things (https://www.schneier.com/crypto-gram/archives/2017/0215.html#1). Bruce's contention is that the Internet of Things is growing into a world-sized robot, and we don't even realise it.
The Internet of Things is composed of sensors (for example temperature monitors), actuators (for example switches to control heating or air conditioning) and stuff in the middle which decides what to do with the information from the sensors and how to control the actuators. In his analogy Bruce likens the sensors to the eyes and ears of the robot, the actuators to the hands and feet and the stuff in the middle to the brains.
Allowing a world-sized robot to evolve from the rush to implement IoT is dangerous as the level of security applied to IoT development is nowhere near adequate. The need for computer security is understood, and while implementation is not always perfect in Bruce Schneier's words:
Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered.
The same cannot be said for the sensors and actuators of IoT; the eyes, ears, hands and feet of the robot.
Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don't have the expertise to make them secure.
The global robot is developing to the point where uncontrolled security vulnerabilities can have life threatening consequences.
There is a fundamental difference between crashing your computer and losing your spreadsheet data, and crashing your pacemaker and losing your life. This isn't hyperbole; recently researchers found serious security vulnerabilities in St. Jude Medical's implantable heart devices. Give the Internet hands and feet, and it will have the ability to punch and kick.
One of Bruce Schneier's suggestions to address this problem is to start disconnecting systems:
If we cannot secure complex systems to the level required by their real-world capabilities, then we must not build a world where everything is computerized and interconnected.
UM Labs R&D have recognised this challenge and have also recognised that the race to adopt and implement IoT is hard to stop. The development of the Internet over the past 30 years has shown us that security concerns are brushed aside until attacks start to hurt. The problem is that in the IoT world security attacks that hurt can mean fatalities. To address this problem, the UM Labs R&D IoT security architecture recognises the challenges of securing sensors and actuators and provides a distributed mechanism to identify and authenticate these devices before they connect to the central IoT application. The architecture then secures the communications to and from these devices. To extend the robot analogy, UM Labs R&D provided the neurons which connect the hands and feet to the brain.
Quocirca's 2016 research showed the average European business expects to be dealing with 7,000 IoT devices over the coming 18 months. It recommends that IoT deployments are managed as a series of hubs or gateways that interoperate with spokes (IoT devices) on closed networks using network address translations (NATs). IoT gateways many be purpose-built or adaptations of existing devices, network routers, set-top boxes, smartphones, will be found wanting as legacy. These gateways, which control communications with the world at large, need unique IPV6 addresses. UM-Labs R&D compliant ready.
Key point is that to be compliant
set against new Cyber Security and Data Protection regulations, old designs for
protection must now evolve to provide protection across multi-layered attacks,
as the attack surface is cleverer with better spoofing and layered attacks.
It is not good enough in this new world
of real-time IP communication to have everyday use for corporate or consumer
users to be hacked, having to be at the mercy of Cyber Criminal businesses running
parallel value chains to that of corporate businesses, where their profit
improves the higher up the technology levels they can access.
So many existing designs for legacy
technology installed and employed at the network layer were designed many years
ago, the fact that these designs are independent in operation with little
reflection on what is happening at the other layers, such as the application
layer and definitely the content level, means that action taken by the cybercriminal
can be a route cause of a simultaneous attacks at the next level up and then
the golden nugget the content level.
In a desperate attempt to bring a
more modern twist to how the designs should evolve, suppliers talk SDN and NFV,
recent blogs from UM-Labs R&D reveal the tragic failure here with all
existing hardware designs being morphed into a software layer that can be used
in an NFV implementation, but as isolated designs, predominately at the network
only with some application aspects, does not fulfil the need to integrate with each
level to respond to the attack surface now created by the cybercriminal.
In recent and many aspects of
testing these designs, UM-Labs R&D have proven the case with real ethical
hacking (under licence and certification), of the current designs out in the
market, audited again and again, showing simple use of SIPVicious, which
according to a legacy provider moving to NFV based on historical development,
has now become a favourite tool for hackers. The problem is that that most try
to attempt to position Session Border Controllers as the solution for VoIP and
UC problems, (NFV based or not).
Not leaving you
hanging, let me explain some small facts, SIPVicious is widely used in call
fraud attacks. If you examine the logs of any Internet connected system (not
just VoIP systems, but also web servers, email servers and anything else SIP
based) you will see the characteristic SIP OPTIONS requests generated by SIPVicious
scans. This means that any SIP system with an Internet connection is likely to
be found. Once detected, an attacker will then try other SIPVicious options to
try and make calls via that system. If the system is not adequately protected,
then the attacker will exploit the compromised system to make fraudulent calls
in large volumes. The cost to the victim organisation can exceed $100K +.
Legacy products fail to provide effective protection against
SIPVicious, and many other attacks, which is the point in question, no point if
you try and attempt protection for spoofing then find the DDOS attack has
opened up to harvesting, man in the middle, malware on remote devices and more.
The proof of this is in a number of detailed security audits which have shown that
the legacy technology design fails to detect and block SIPVicious. 2016 saw
multiple successful call fraud attacks on VoIP/UC deployments relying on SBCs
As stated in my
making the shift to SDN and NFV can be key, but in a cloud world, be this
private (on premise) or public, (Azure, AWS, Softlayer) and Hybrid combination thereof,
realising there needs to be a floating
point by which protection must operate over multi-levels, integrated and awake
to attacks, over the top monitoring is essential, which means having a distinct
design that both works with SDN and again operates as a true OSi Layer , integrated
stack based on a defined rules table.
The explosion of mobile devices and
content, server virtualization, and advent of cloud services are among the
trends driving the networking industry to re-examine traditional network
architectures. Many conventional networks are hierarchical, built
with tiers of Ethernet switches arranged in a tree structure. This design made
sense when client-server computing was dominant, but such a static architecture
is ill-suited to the dynamic computing and storage needs of today’s enterprise
data centres, campuses, and carrier environments.
The UM Labs
Cyber Security OS layered stack, extends the use of SDN beyond simple deployment
management. The platform functions by detecting security threats and taking the
appropriate blocking action. Threat detection and blocking actions are
implemented at multiple levels. In many cases the most efficient method of
blocking a threat is to implement the blocking action at a lower level than the
example a call-fraud attack can only be detected at the application level, but
the most efficient
blocking mechanism is to instruct the network security layer to implement the
blocking action. Having a 21st century design based
on Cyber Security needs, will have all of the networking, routing, mobile, IP
V4 and IPV6 interop, inter-op for any SIP UC solution such as IPPBX, Skype for
Business, Cisco Spark etc., that includes this level of feed-back between
threat detection and blocking action at all 3 security levels. SDN/NFV enables this
feedback to be extended into the cloud where all NSP’s, hosting and new ‘Cyber
Security as a Service’ (CSaaS) providers will need to be, especially set
against regulations for data protection and ENISA guidelines from which
penalties will be gauged.
As by way
of a footnote, UM Labs R&D in conjunction with
ITSPA (itspa.org.uk) is addressing this problem
with a real-time analysis of fraud attacks and sharing that data as an
effective defence against fraud and other SIPVicious attacks. This capability
in conjunction with the multi-layered security provided by UM Labs R&D is
the only ‘effective’ assured defence against SIPVicious attacks and many other
security threats facing real-time communications such as UC (VOIP, Video, IM,
A GDPR study by the IAPP and TRUSTe has revealed that nine in 10 companies have actively started to address the regulation, including 43% who have a plan in place and 49% who have started implementing their GDPR compliance plan.
About 67% of EU companies said that their implementation is underway or completed, compared to 42% for the US. 43% of companies report they already carry out data inventory and mapping projects, and another 30% are planning to do so in the next 12 months. 71% of organisations are currently undertaking data privacy impact assessments.
Data Protection regulation in Europe under GDPR, HR1770 in the USA on cyber security breaches, EU MiFiDII for financial services, which includes call recording and this brings a huge wall of potential pitfalls and fines for those corporates that ignore these moves by the governments of the globe.
Mixed in this, because cyber crime is the 21st century scurge, is legal intercept, authorties trying to protect the country's jewells, a necessary ability to have for law enforcement and you will find the Data protection offices (DPO-to be 75000 globally) will become very frustrated that they have to work with 20th century cyber security legacy designs for protection and cannot avoid being hacked.
They will see guidelines from authorities such as ENISA stating clearly, that this out of date protection with legacy firewalls, routers and gateways that do not work as Integrated solutions between the network, application and content layers. They are never going to be compliant for the regulation, as they already have a huge amount of proof and blame attached to this technology, so many have been hacked todate.
Take one aspect of real-time communications as RT is a complex thing, UC/RT much needed set of tools in the 21st century, the call fraud alone associated with IPPBX and UC platforms, being totally open to attack, now mounting to $7.5billion loss in 2015.
Existing technology such as SBC, Firewalls, not being able to determine if the call is legit or not and this allows access following DDOS attacks to all three layers, legacy can never be assigned compliance approval, so why keep with the status quo!
The change is that with 21st century design and complete design from the bottom up, you can have a multi-level cyber security, this can be run a SECURITY as a SERVICE to your business, it will reflect the value chain of cyber crime based on rules and by design run in any cloud implmentation, be it public, private or hybrid cloud offerings.
Already proven compliant, tested by creditable red teams, and matching the ENISA guidelines, the R&D shows leadership and will be a good choice for the new army of DPO's for whom there is only pain today.
Summary of unique points:-
1. UM-Labs R&D provide a unique premium protection for real-time communication cyber
security based on op-ex.
2. The solution is currently the only compliant and tested platform under
ENISA guidelines. (Covers GDPR and NIS with multi-level integrated security,
legal intercept and EAL-4 Encryption)
3. The solution has been through rigorous pen tests and set against legacy
offerings, showing SBC’s, Application Gateway and Proxy Gateway redundant.
4. The solution is designed to meet evolving situ’s, such as IPV4 and IPV6
(IOT/IOE) transparency. Provides transparent inter-op between V4 and V6.
5. The solution scales to 100,000 of users +, so carrier grade.
6. The solution can be implemented in an hour, not days or months.
7. The solution is the first cyber security cloud layer OS.
8. The solution takes into consideration SDN and NFV, but based on a new
design, not a legacy transfer as with existing hardware offerings.
9. The solution covers all mobile as well as desk top. (All connectivity,
Wi-Fi, LTE or SIP Trunking)
10. The solution is available and has a ROI set against the cost of not
Set by the new policy back drop of researched needs makes good perfect business sense.
The Register reports that the UK government is proposing to request that Interception of Communications Commissioner's Office is tasked to monitor the growing use of
IMSI Catchers in and around UK Prisions.
IMSI catchers are fake mobile network base stations which can be used to intercept and monitor calls made from smartphones. IMSI stands for International Mobile Subscriber Identity and is a unique identity carried by each mobile device. The ease with which IMSI catchers can be used to intercept calls has lead some to claim it stands for
Idiots Missed Security Implementation.
Their use in and around prisions enables the authorities to monitor prisioner's communications, but these devices are not selective, anyone using their phone in the vicinity of a prision risks having their commuications intercepted.
The Register article also points out that there are growing number of fake base stations in and around London. There is a real risk that any call made from a smartphone could be intercepted. Any breach of confidentiality resulting from the interception of a call is a violation of the new European General Date Protection Regulation.
UM Labs has developed an easy to deploy service to encrypt calls, protecting confidentiality and ensure compliance.
In other European reaction, the Italian data-protection authority said the changes raise concerns for “the protection of the data of millions of citizens and numerous users of WhatsApp.” The U.K. Information Commissioner said in an Aug. 26 statement that its role is to “pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared.”
WhatsApp said in a blog post announcing the changes on Aug. 25 that its users’ “encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else” and that they “won’t post or share your WhatsApp number with others, including on Facebook, and we still won’t sell, share, or give your phone number to advertisers.”
Another consideration for every social platform is that they can be abused by third parties in a variety of legal and illegal ways. Programs can replicate user behaviour and, armed with a valid user account, quickly and efficiently access all available contact accounts and harvest their data. Businesses cannot assume that online services provide any guarantee of security:
"That profile, that picture, that browsing habit or that buying pattern makes this generation the easiest and more importantly the quickest, target for fraudulent misuse of identity since the practice began." Computer Fraud and Security-Reed publication.
Individuals and business leaders must understand and accept that it is an imperative for any online service to be able to supply their services and cover their costs while making a profit for their shareholders. We can benefit from these services but we should not presume they are mature, stable or secure. Whilst money may not have changed hands, your participation in the service represents a level of investment and "caveat emptor" still applies.
The revelation coincides with fresh concern over the latest version of the “snooper’s charter”, which will give the police powers to access everyone’s web browsing histories and hack into phones. Therefore this must place Whats App and Facebook in a tricky position as there is no legal intercept service for de-encyption that is known, other than UM-Labs ofcourse and compliant with legal intercept.
Our increasing reliance on fast and efficient communications in both our business and personal lives increases our exposure to cyber threats. These threats are nothing new. Since the emergence of the World Wide Web in the early 1990s and the growth in the use of Internet based email services we have become accustomed to the fact that connectivity brings both benefits and risks. Whether we have taken effective steps to control those risks is another question. The new generation of real-time communications applications are potential targets for the existing cyber threats but also introduce new threats. This review covers both sets of security threat.
Businesses need faster forms of communication to improve productivity and reduce costs. The new generation of workers are turning towards familiar applications to achieve this. These new applications include IP applications for voice (VoIP) and video calls, conferencing services and messaging. These are made more effective through the use of presence services, the ability to track the availability of colleagues. These new services have developed in the absence of clear controls and regulation, exposing the business to new cyber threats. However recent moves by governments both in Europe and North America are pressuring business to ensure that their security policies cover all methods of data processing and communication.
Europe is taking a lead on this initiative. In December 2015, the European Union published the General Data Protection Regulation (GDPR) (European Parliament, 2016). This builds on previous EU initiatives, including provisions for data erasure (right-to-be-forgotten) and data portability. To assist businesses in meeting the new regulations, the European Union Agency for Network and Information Security (ENISA), have published a set of technical guidelines. These guidelines specifically include the new generation of communications services and extend to the networks commonly used by those services (public WiFi, 3G/4G, VoIP services).
Government has been understandably reticent about regulating real-time communication, until it became a risk to commerce and trade with Cyber Crime growing to a level that represents a real threat to data privacy and has significant economic impact. Board level ignorance is no longer acceptable. While the concept of reasonableness is somewhat subjective, the questions for CEO, COO and CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry, and would the program withstand legal scrutiny? If my company suffers a security breach, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company's information assets?
Thus it is important to have a set of rules that show the value chain working from cyber security protection upwards through to compliance and policy directives. The resulting cyber security policy must be clear and concise, understandable and acceptable at board level and most importantly able to demonstrate that all reasonable efforts had been made to protect against cyber threats. In the event of a security or compliance breach, the ability to show that the organisation's cyber security policy recognised the threats, used the most appropriate available technology to protect against those threats and that the policy was fully implemented, is an effective method to reduce the penalties imposed by the data protection authorities.
Take a lead, self-regulate and provide support to the business, large and small, in addressing this challenging and dynamic environment. This Paper is designed to help business leaders develop informed cybercrime policies which are effective in protecting the business and ensuring conformance to compliance regulations.
The New Communications Paradigm -The communications revolution gathers pace - never before have so many people communicated so much so often.
Generation Y and Generation Z will automatically use instant messaging rather than email, text messaging rather than voice calling, video calling rather than face-to-face meetings and share personal data about their lives in a page on a social network.
Messaging is the new phone call, so it would appear, as 'WhatsApp' has demonstrated by surpassing 900 million active users every day, but only recently providing encryption for their traffic as a way to prevent breaching the confidentiality of personal data.
Like it or not, the business world is well and truly online and inextricably linked with this communications revolution. All this can be considered progress, but the rules of engagement in this brave new world are far from clear. Technologies provide the tools to achieve real-time communications, delivered by multiple companies, but not all products are inter-operable and not all are able to protect against cyber-attacks. Multi-vendor systems are the reality, but mixing products where some have limited security controls makes providing 'end-to-end' compliant cyber security a challenge.
Good business management requires clear strategies for successful online engagement, with clear guidelines and policies to manage potential risk to companies and their employees.
Broadly understood, compliance is an important mechanism that supports effective governance. Compliance with regulatory requirements and the organization's own policies are a critical component of effective risk management. Monitoring and maintaining compliance is not just to keep the regulators happy, it is one of the most important ways for an organization to maintain its ethical health, support its long-term prosperity, and preserve and promote its values.
FULL POLICY PAPER TO BE RELEASED FRIDAY 26.8.2016