Embed Size (px)
Citation preview
MARCH 2014 ASEAN | VOL.1I N F O R M A T I O N
A S E A NSECURITYMOBILE SECURITY REPORT: DATA ON DEVICES
MOBILE SECURITY: NEW DEVICES, NEW THREATS
CYBER THREATS: NEW YEAR, NEW RISKS?
SECURITY AND THE NSA: SNOWDEN, BSAFE AND FIXING THE MATHNEW YEAR,
NEW RISKS? Cyber security challenges for
Singapore and Malaysia as the cyber enemy becomes more diverse, more sophisticated
and more dangerous than ever before
CYBER THREATS:
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
2 INFORMATION SECURITY n ASEAN n MARCH 2014
CYBER THREATS
HACKTIVISTS, state-sponsored spies, cash-hungry fraudsters, malicious insiders – the cyber enemy facing organiza-tions in 2014 is more diverse, more so-phisticated and more dangerous than
ever before. Malaysia and Singapore sit at the hub of Asia-Pacific, one of the world’s most active regions for cyber crime. So where do the risks lie for businesses in the re-gion, what can chief security officers (CSOs) do to suc-cessfully stem the tide of attacks, and are governments taking a big enough leadership role?
The good news is that 2014 got off to a good start for Singapore. In January, global security supplier FireEye signed a landmark agreement to build a cyber security Centre of Excellence in partnership with the govern-ment’s Infocomm Development Authority (IDA). The agreement will not only give FireEye the ability to better secure its customers in Singapore, Malaysia and beyond against regional attacks, but will see the firm working with local Institutes of Higher Learning (IHLs) and local
2014: NEW YEAR, NEW RISKS? Cyber security challenges for Singapore and Malaysia By Phil Muncaster
VEGE
/FOT
OLIA
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
3 INFORMATION SECURITY n ASEAN n MARCH 2014
CYBER THREATS
activists and opposition party leaders were in uproar after a series of distributed DDoS attacks took out their sites before election time.
IP THEFT A BIG RISKHacktivists are not the only threat facing organisations in Malaysia and Singapore. Intellectual property (IP) theft is a major and growing risk, often achieved through covert APT-style raids, according to Boland.
“The World Intellectual Property Organization (WIPO) says that three-fifths of countries globally and 45% of WIPO patents are from APAC. There’s so much IP and a lot to be gained from stealing it,” he says.
Asia-Pacific as a whole is twice as likely to be targeted by an advanced attack as the world as a whole, according to FireEye. In 2013, South Korea, Japan and Taiwan were the top three most targeted countries in APAC, with Singapore creeping into the top 10 countries at number 10. Malaysia does not even make it into that list, but that doesn’t mean CSOs there can relax, according to Boland. “In general, the richer the country, the more likely it is to be targeted by both nation states and cyber criminals,” he says.
Another good indicator of how secure a country’s IP space is comes in the form of Akamai’s quarterly State of the Internet report. The firm listed the top source of attack traf-fic in Q3 2013 as China (35%), with Singapore (0.1%) and Malaysia (0.2%) barely on the chart. This is important as it indicates that there are relatively few machines in the latter
ICT companies to develop at least 10 new tools to detect and prevent advanced persistent threats (APTs).
APTs are a new breed of highly targeted attack. Mal-ware is typically landed covertly via a malicious email attachment or link and can often sit undetected in an or-ganisation for months or years, all the while taking sensi-tive internal data.
FireEye’s APAC CTO, Bryce Boland, says the firm will train 100 full-time staff to man the Singapore Centre of Excellence over the next year. “The idea was to build it up to have a large capability to deal with the large amount of APAC-specific malware,” he says. “In APAC there is a lot of malware activity taking place. There are a lot of coun-tries and many of them have tense relationships, so we of-ten see that boil over into cyber space.”
These “tense” relationships have most obviously been seen of late in hacktivist battles between Indonesia and Australia, the Philippines and Indonesia, and North ver-sus South Korea. Singapore late last year incurred the wrath of hacktivist collective Anonymous after a contro-versial new media regulation was touted by the govern-ment. Several sites were defaced or hit by a distributed denial of service (DDoS) in retaliation, including some pages on prime minister Lee Hsien Loong’s official site.
Malaysia is also no stranger to high-profile hacktivist-style attacks. In early 2013, bloody clashes with Filipino insurgents in Sabah led to Philippine hackers targeting numerous Malaysian sites. Later that year, human rights
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
4 INFORMATION SECURITY n ASEAN n MARCH 2014
CYBER THREATS
becoming a datacentre hub in the region,” he says. “Hence it is imperative that organisations in both coun-tries implement strong cloud security measures to protect data and privacy, especially for public organisations.”
So what of the government response? Well, Malaysia’s National Cyber Security Policy, launched in 2007, was widely seen as “one of the most proactive measures of a government in the region”, according to Vu.
The Singaporean government has also been one of the more advanced when it comes to anticipating the cyber threat. It’s had an Infocomm Security Masterplan (ISMP) in place to map out how best to defend the city state since 2005 and launched the most recent – the five-year Na-tional Cyber Security Masterplan 2018 – last year.
“Since the early days of computerisation in Singa-pore, emphasis has been placed on ensuring the confiden-tiality, integrity and availability of information, as well as the security of the underlying systems and communica-tion networks,” says a government spokesperson.
However, the final word should go to Vu: “Although governments in the two countries have been proactive and demonstrated leadership, it is the responsibility of every organisation and individual to protect themselves from cyber attacks. Only when awareness is improved will organisations be able to defend themselves against threats in the era of the internet.”
two countries which have been compromised and taken over by cyber criminals to launch attacks.
That said, local CSOs cannot afford to take their eyes off the ball in 2014, according to Forrester senior analyst Manatosh Das. “Nearly 45% of the Asian organisations in our survey identified mobility as a high or critical pri-ority for 2014,” he says. “As enterprises introduce mobil-ity, the new access points attached to the network create opportunities for attackers to break into the infrastruc-ture directly or via mobile application portals that provide gateways to protected, sensitive data.”
This especially relevant to Singapore, where there are twice as many mobile phone subscriptions as people, and Malaysia, which led the world for the highest number of de-vices accessing the corporate network in 2012, according to a report from Citrix, with an average of six per employee.
Furthermore, strict new compliance requirements in the form of Malaysia’s Personal Data Protection Act 2013 and Singapore’s Personal Data Protection Act 2012 should focus CSOs’ minds, he says.
“The penalties for non-compliance in the Asia-Pacific re-gion are growing and it’s increasingly important to pay atten-tion to local regulations… the repercussions can be severe.”
CLOUD SECURITYFor Frost & Sullivan analyst Vu Anh Tien, cloud comput-ing remains a key area of concern. “While Singapore remains a business hub, Malaysia is on the way to PHIL MUNCASTER is a British journalist based in Hong Kong.
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
5 INFORMATION SECURITY n ASEAN n MARCH 2014
Data on Devices A recent survey shows the battle between corporate-issued devices and personally owned smartphones and tablets is too close to call BY KATHLEEN RICHARDS
MOBILE SECURITY REPORT
technology implementation strategies in 2014. While mobile security is stuck in the middle of an am-
bitious list of initiatives in 2014, IT managers and corpo-rate executives have struggled in recent years to secure their corporate data and internal networks, which must accommodate a mix of corporate-issued and personally owned devices. In an April 2013 TechTarget networking purchasing intentions survey of 2,700 IT managers, re-spondents ranked network security (31%) as the top pri-ority for the next 12 months, followed by Wi-Fi/WLAN (27%) and data center network upgrades (25%). Bring your own device (consumer devices) outpaced all other categories as the top blind spot in existing implementa-tions for network management (58%). Security (40%) ranked a distant second among those surveyed, followed by WLAN (31%) and cloud computing (31%).
WE ASKED THE READERS of Informa-tion Security and its sister sites (of which there are many) about their IT security initia-tives in 2014. Not surprisingly,
one-third of respondents to our Global IT Priorities Sur-vey, conducted in Q4 2013, indicated that mobile endpoint security is part of a crowded to-do list. It ranked in the 30% range in our mobile security report data, alongside fundamental security controls including threat detection/management, application-based security, vulnerability management, encryption, security data management/anal-ysis and virtualization security. Only network-based secu-rity and data loss prevention ranked notably higher.
For this survey, TechTarget electronically polled 4,151 IT managers and security professionals about their
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
6 INFORMATION SECURITY n ASEAN n MARCH 2014
MOBILE SECURITY REPORT
of those surveyed are basing their mobile device strate-gies on plans that allow employees to choose and pur-chase their own devices. Most of those surveyed said their organizations will either use corporate-purchased devices (37%) or a combination of corporate-purchased and indi-vidually chosen (39%) smartphones and tablet PCs.
Data from the latest TechTarget Global IT Priorities survey shows that mobile device security is still a hotspot for IT executives as tablets continue to gain ground on smartphones, and some organizations are exploring mo-bile virtualization and other security initiatives. Despite the clamor around BYOD, fewer than one-fourth (24%)
39%
30%
30%
33%
26%6%
32%45%
35%
33%
35%
34%
3%0 10 20 30 40 50
Data loss preventionNetwork-based security
Application-based securityIdentity and access management
Security data management/analysisMobile endpoint security (for smartphones)
Virtualization securityThreat detection/management (antimalware)
Vulnerability management (patch/configuration management)Encryption
Cloud securityDon’t know
None of the above
Which of these security initiatives will your company implement in 2014?
N=2,072; Respondents were asked to select all that apply; Source: TechTarget Global IT Priorities 2014
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
7 INFORMATION SECURITY n ASEAN n MARCH 2014
MOBILE SECURITY REPORT
How will your company implement smartphones?
What is your main goal with tablets?
N=3,360; Respondents were asked to select all that apply; Source: TechTarget Global IT Priorities 2014
N=1,407; Source: TechTarget Global IT Priorities 2014
N=1,339; Source: TechTarget Global IT Priorities 2014
Which of these mobility initiatives will your company implement in 2014?
0 10 20 30 40 50
Don’t know
None of the above
Mobile virtualization
Mobile enhancement of data/applications
Mobile security
Mobile device management
Tablet PCs
Smartphones42%
40%
33%
32%
23%
13%
12%
11%
39%
37%
24%
27%
52%
21%
Corporate purchase
Allow employees to choose and purchase their own devices
Combination of corporate
purchase and individual
choice
Implement dedicated device for mobile workers, such as truck drivers or warehouse personnel
Accommodate end user demand to integrate into corporate network
Reduce cost of end user computing
for personnel with limited
computer needs
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
8 INFORMATION SECURITY n ASEAN n MARCH 2014
WE’VE ALL SURVIVED the holiday rush and celebrations, and now the real fun begins: evaluating the security implications of the new mobile “toys” that people
want to use to access corporate data, applications and net-works. Niche items such as Google Glass and the Samsung Galaxy Gear smartwatch make for great stories during lunch breaks, but in most organizations these devices cur-rently have little impact. However, the influx of iPad and Android tablets and wide range of smartphones can really challenge network security, especially in organizations that support the bring your own device (BYOD) trend.
BYOD is one of those topics that has adamant support-ers and detractors. Honestly, I think BYOD is something that each organization has to evaluate based on its needs
(and wants). But whatever the choice, mobile devices have to be evaluated at some level before you allow them to run on internal networks.
How can you determine which devices to allow or what level of access these products should have? Of special concern are those that are increasingly popular among staff (the new phablets) and company executives (tablet/laptop transformer devices). Analysts expect consumers to opt for smaller-sized tablets over older smartphone replacements – and so should you in the coming year.
DEVICE-SPECIFIC EVALUATIONSSecurity organizations have to ask a number of device-specific questions, and those answers will drive support and security decisions.
New Devices, New ThreatsHow to evaluate the devices we love. BY KEVIN JOHNSON
MOBILE SECURITY
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
9 INFORMATION SECURITY n ASEAN n MARCH 2014
MOBILE SECURITY
business application. Who wants to admit to their boss that the primary purpose for the device is the “cool” fac-tor? (If I had told my management team I wanted them to sign off on Google Glass because it made me popular, there’s no way I would own one.)
Look for business efficiencies as well as technology advances that can make jobs easier or provide benefit to the company. I recently signed off on a Nexus 5 purchase for one of our consultants. Yes, I know he wanted a new gadget, but he was able to show a potential value to the company. Long story short, Jason now has a Nexus 5, and it’s already shown benefits to the business by providing us with information on attacks possible against the device.
What connection types does the mobile device support? The connections are often where the real risks of adding a device comes into play. A Wi-Fi-only device limits the number of connections the attacker can use against the organization, but this may also cause some employees to connect to an untrusted wireless network to get their jobs done.
What is the device? Is it an Android tablet, a Windows phone or a more unusual gadget, such as a 3D printer for mobile devices or, coming soon, a mini drone? This ba-sic question helps you determine the category of devices to consider, and drives the rest of the questions. It also provides a starting place based on existing policies and procedures.
Are similar or related devices already supported? Is the new device an upgrade to a Samsung Galaxy Android tablet or Apple iPhone smartphone that you already deal with through your existing security controls? If it is, does the latest version change something fundamental (for instance, the cellular connection on the cellular model of the iPad Air or an operating system upgrade such as the Google Nexus 5 running Android KitKat)? If it is similar enough, then the device likely has the required security controls; it’s already supported in key areas (access control, authentication, mobile device management, data encryption), so you can move on and evaluate the next device.
What is the need for the device? This question is a bit more complicated. You have to evaluate the business reasons behind why people want to use specific devices, and dig into their underlying thought processes. Is it just a new fad or is there a business driver? This evaluation is often more difficult if the device has little practical
Mobile devices have to be evaluated at some level before you allow them to run on internal networks
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
10 INFORMATION SECURITY n ASEAN n MARCH 2014
MOBILE SECURITY
that sometimes new things aren’t so scary (wait for more wearables and the internet of things). Many devices actu-ally benefit the organization. n
KEVIN JOHNSON is the founder and CEO of Secure Ideas, an IT security consulting firm specializing in identifying companies’ cyber security vulnerabilities. In a career spanning over 20 years, Kevin has worn almost every imaginable IT security hat, including instructor, consultant, public speaker, administrator and architect. You can find him on Twitter at @secureideas.
Security organizations also need to think about how different connection types can affect the security of their internal wireless network systems. A device that has a cel-lular connection active while it’s connected to the cor-porate wireless network could allow an attacker to pivot from that cellular connection on to the network, bypass-ing the typical internet controls a company has in place.
To sum up, think about why your employees want these new devices and, despite the onslaught, try to keep an open mind. As security people, we have to accept
VEGE
/FOT
OLIA
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
11 INFORMATION SECURITY n ASEAN n MARCH 2014
Snowden, BSafe and Fixing the Math Is there a potential weakening of security products and services courtesy of the NSA? BY ROBERT RICHARDSON
independent identities, which are fundamental to creat-ing modern civilization.
PROBLEMS IN THEORYIt appears Snowden was wrong – at least, partially – about the NSA’s access to encrypted data. Or, perhaps, he was putting a lot of weight on the phrase “properly imple-mented”. Because if you had hung your trust on RSA, the security division of EMC’s BSafe cryptosoftware, and used its default settings (Dual Elliptic Curve Deterministic RBG algorithms), it’s pretty clear that the NSA had a back door to your plaintext. Snowden should have been aware of this issue. When his identity was first revealed in the Guardian, he said: “I carefully evaluated every single docu-ment that I disclosed to ensure that each was legitimately in the public’s interest.”
ONE OF THE RESPONSES to early salvos of former US National Security Agency (NSA) contractor Edward Snowden’s surveillance releases was “trust the math”. That’s how security
veteran Bruce Schneier put it in a posting to his blog site. Snowden himself, when answering reader questions on the Guardian website, said: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
A lot of us heaved a huge sigh of relief on hearing that. Not because NSA surveillance will reveal our big, dark secrets, but if the security community cannot say with confidence that it stores the world’s digital data securely, it’s time to dismantle the industry. And beyond that, pri-vacy is essential. A sense of privacy fosters self-aware,
SECURITY AND THE NSA
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
12 INFORMATION SECURITY n ASEAN n MARCH 2014
SECURITY AND THE NSA
carefully worded. Huawei Technologies, for instance, released a statement that said it will “conduct appro-priate audits to determine if any compromise has taken place and to implement and communicate any fixes as necessary”.
That’s just the hardware vendors. I’m no mathemati-cian, but it doesn’t appear that we’re entirely out of the woods, based on the NSA’s capabilities for directly weak-ening or attacking cryptosystems – namely, elliptical curve-based algorithms, the mechanism used in Dual_EC_DRBG, one of four DRBGs standardized by the Na-tional Institute of Standards and Technology (NIST SP 800-90A) in 2007.
Peter Woit, a senior lecturer in the mathematics de-partment at Columbia University, blogged in September 2013 that there was speculation in the mathematics com-munity that “there are other ways in which NIST stan-dard elliptic curve cryptography has been compromised by the NSA (see here for some details of the potential problems).”
On the other hand, Snowden had a lot of documents, and there are plenty of instances where you have to line up the PowerPoint slides side-by-side to make sense of what the NSA is allegedly up to. Whether Snowden was aware of the BSafe alleged back door or not, the back door was there.
This back door was essentially a class break – the NSA could violate the protections of anything encrypted with the default BSafe arrangement. It was a completely dif-ferent approach than selectively taking over equipment or software distributed to specific targets (which the NSA has also done).
In this instance, you couldn’t really trust the math. The core precepts of encryption (for example, products of very large prime numbers are hard to factor) may still hold. But one element at least that’s nearly as important – the ability to pick pseudorandom numbers that others can’t systematically guess – is up for grabs.
SHUTTING THE DOOR ON SURVEILLANCE?But it’s worse than that. There are perfectly good reasons to suspect even more security problems that the NSA dis-covered or, perhaps, purposefully injected. As reports sur-face alleging that various products from Cisco, Dell and other major hardware vendors have potential security weaknesses, only Apple has responded with a truly iron-clad-sounding denial of any involvement in the NSA’s sur-veillance activities. Other responses have seemed rather
The core precepts of encryption (for example, products of very large prime numbers are hard to factor) may still hold
COVER STORY: CYBER RISKS
IN 2014
MOBILE SECURITY REPORT
NEW DEVICES, NEW THREATS
SECURITY AND THE NSA
13 INFORMATION SECURITY n ASEAN n MARCH 2014
SECURITY AND THE NSA
ROBERT RICHARDSON is the editorial director of TechTarget’s Security Media Group. Follow him on Twitter @cryptorobert.
Woit noted: “The NSA for years has been pushing this kind of cryptography (see here), and it seems unlikely that either they or the NIST will make public the details of which elliptic curve algorithms have been compro-mised and how (presumably the NIST people don’t know the details but do know who at the NSA does).
We can’t trust the math. Some of it needs to be reexamined publicly, and soon. The industry – and, in particular, vendors that say they’ll fix any surveillance-enabling vulnerabilities “as necessary” – need to pour on the funding for research and standards development that returns us to a state where we can store data with confidence that it’s secure. n
TechTarget ASEAN Media Group
TechTarget8 Cross Street Level 28PWC BuildingSingapore048424
EDITOR Karl FlindersPRODUCTION EDITOR Claire CormackSUB-EDITORS Jason Foster, Craig Harris
VICE-PRESIDENT APAC Jon PankerFEATURES EDITOR Kathleen RichardsDESIGN Linda Koury
© 2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused web-sites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
COVER IMAGE: NMEDIA/FOTOLIA
