The In-security of Infosecurity

Infosecurity Europe

Infosecurity Europe has packed its bags and left Earls Court for the last time and we hope it has remembered to lock them.

Infosecurity Europe has packed its bags and left Earls Court for the last time. Next year’s show will move back to Olympia, later in the year on 2nd to 4th June. I posted a couple of blog posts from the show this week which focused on the main themes of the show and how things have moved on from last year. But, having spent three days at InfoSec I was struck by how taken for granted a lot of the ‘security’ we are surrounded by is.

A great example of this was the sheer amount of unattended personal property that was on display. I tweeted a photo of one vendor (who shall remain nameless) who had left their stand store-room open for quite some time. Notice the combination lock on the door though. Wherever one looked there was a laptop, tablet or phone just waiting to be plucked from its out of sight owner. Other security problems I noticed were people reading restricted documents or talking about what I assume were confidential business dealings on the phone or in plain sight of the general public. A number of demo systems showing personal or confidential business data, and a fair few shoulder-surfing opportunities from one-fingered-password-typers. Yes, I did see you type “qwerty” as your password.

Even though it isn’t perfect, it’s still a relatively safe event. A remarkable achievement considering the conference part had its fair share of impressive hacking demo’s, even some that extend to attendees mobile phones or the show wireless network. But luckily nothing on the scale of compromise usually seen at the hard-core conferences like Defcon or Blackhat, where there seems to be an unwritten rule about hacking as much of the supporting infrastructure as possible.

Having said that, I’m sure many attendees didn’t check to see if the WiFi network they were connecting too was the legitimate show network and not a rogue access point. You didn’t did you? Or perhaps didn’t use their VPN connection whilst on that public WiFi; rule 1 surely, especially at a security conference.

All of these hacking demonstrations show intent, in these cases intent to make people aware of the risks inherent in the use of technology, but there’s always a more malicious intent that could be unleashed by anyone who wants access to your data, or steal your property.

The lack of awareness shown by some people at InfoSec was, at most, disappointing. Or to put it another way – a facepalm moment. But remember, it’s only through seeing and understanding these weaknesses that we learn how to protect and prevent against them being exploited; and luckily learning about security is one of the founding principles of the show.

See you there next year.


The Rise and Rise of Targeted Threats

At Infosecurity Europe this year, it’s an interesting time. The idea of cloud services has become ubiquitous, which means there’s little need to talk about it, at least not in the way it’s been positioned over the last few years.

InfoSecurity Europe

2014 is the last time that InfoSec will be hosted in Earls Court and the venue isn’t the only thing that’s changing

It leaves the way open for new trends…I’ve already explored one in my previous blog post – the change in emphasis from external to internal threats.

In addition, one other noticeable trend is the rise of targeted attacks.

It’s an area made all the more significant with the recent news of the security flaw in most versions of Internet Explorer. It appears the flaw could make users vulnerable to spear phishing attacks if they click on a link within an email (or IM message) to a malicious website designed to exploit this vulnerability in IE. Ultimately, the exploit could make the whole user’s system vulnerable.

Spear phishing is similar to standard phishing, in that it uses social engineering in emails to persuade end users to act, usually by clicking on a link in the same email. The emails look like they come from a specific trusted sender, but the content is far from safe. The URL is generally a drive-by attack malware site that will attempt to install malicious code on your computer, as well as persuade you to give up valuable user credentials – it’s a growing threat to enterprise-sized organizations in particular, and is fast becoming the attack vector of choice for hackers looking to gain access or compromise an organization.

This technique, like many other targeted attacks, relies on the attacker knowing details about the target such as their name, address, job and e-commerce sites which they regularly use.

Data, both corporate and personal, is the soft under belly that’s now ruthlessly being exploited by criminal gangs. I wanted to specifically say criminal gangs because it’s sometimes easy to forget that the perpetrators of these attacks are…well…not pretty, but behave in many ways like a normal business operation. Many even have employee healthcare plans.

It was refreshing to see and hear first-hand how ugly it gets at InfoSec from the likes of Jason Hart, ex-ethical hacker, Safenet, who hacked the attendee’s mobile devices as he spoke, and Thomas Olofsson, Intelliagg, who profiled a prolific spear phishing gang from Nigeria. These guys truly got under the skin of what motivates these attackers in their presentations.

As the culprits of these attacks become more sophisticated and extreme, the industry will have to change its way of planning to prevent these attacks, as well as effectively clean up afterwards. As Jason mentioned in his presentation – ‘think like they do – they’re after your data’. It’s sage advice as we gear up for a new front opening up in the battle to protect ourselves online.

If you’d like to talk about this or other security trends and are attending InfoSec in London today, do drop by our stand F86 where we can also explain how our new service Targeted Threat Protection can help protect your business from spear phishing attacks.


InfoSec 2014: a New Chapter for the Security Industry

2014 is the last year Infosecurity Europe will be hosted in Earls Court, London. Next year it moves to a brand new venue – Olympia, London.

So it’s somewhat fitting that this year’s show heralds a shift in the trends, buzz words and tone.

InfoSecurity Europe

2014 is the last time that InfoSec will be hosted in Earls Court and the venue isn’t the only thing that’s changing

No longer is the word ‘cloud’ everywhere on the stands and in speaker summaries. That’s not to say the concept is no longer recognized – it’s just very quickly become a de facto approach for IT planning and investment.

However, what’s really interesting is the type of emerging trends left exposed now that the dominant ‘cloud’ term has become less prominent.

In this post I wanted to explore one trend in detail (I’ll be exploring others in future posts) – the change in emphasis between external and internal threats. In a post-Snowden world of data security the accent on the risk presented by an organization’s users has been obvious – not only have I noticed more stands showing messages about the likes of ‘user policy management’ but also the keynote presentation from pwc highlighted the same shift.

pwc’s 2014 Cyber Security Breaches Survey, announced yesterday at InfoSec, makes for really interesting reading and will be downloadable in full here. What immediately jumped out at me was the percentage of large organizations that suffered staff-related security breaches – 58%. In addition, 31% of the worst security breaches in the year were caused by inadvertent human error and a further 20% by deliberate misuse of systems by staff.

According to the research, while the number of security breaches seems to be receding the overall cost of the breaches is increasing. No wonder then that the IT industry is looking with more purpose at administration and in particular detailed user profiling as a means of reducing the risk companies are facing.

If you’d like to talk about this or any other emerging trends and are attending InfoSec in London this week, do stop by stand F86 – we’d be happy to talk about the future of information security…and of course we’ve loads of prizes to be won.


InfoSec 2013 = Cloud Is Growing Up

London was again the venue for the 18th Infosecurity Europe conference last week. Along with over 100 other exhibitors, it was a busy three days for Mimecast – security workshops (summarized in our blog post last week), talking to crowds attracted to our eye-catching stand and some great conversations with media, customers and prospects.

As expected at the premier security event, security was hotly discussed with topics such as mobile security, cyber warfare, threat detection and prevention reoccurring themes.

Given security is a vital part of our offering, we’re most interested in the evolution of the security landscape and how it impacts communication technology in business. From this viewpoint, we noticed a clear point emerging from the conversations this year – we’re entering a new chapter in the maturation of how businesses consider cloud services.

Gone are the days of businesses questioning whether its data is safer in the cloud, now the focus is on issues such as whether a vendor truly believes in industry standards – for instance, there is an increasing expectation of vendors to be accredited against third party standards e.g. ISO 27001 and participate in transparency initiatives such as the CSA STAR registry.

In addition, IT teams are becoming increasingly sophisticated in testing whether vendors can stand by their SLAs. On this subject, one of our customers Paul Dryden invoked a vivid example in one of our workshops about how he evaluates cloud vendors – during a tour of the data centre he spontaneously asks the vendor to cut the power to see how the system reacts. Apparently, only one vendor has managed to perform the immediate simulated power cut for Paul and while this is one of the most extreme examples, we’ve encountered other customers and prospects that have indicated that they’re testing the SLAs of cloud vendors more rigorously.

With increasing pressure to comply with industry standards and more demanding tests around the strength and depth of their service, cloud vendors seem to be at a cross-road. Those services which have the scale and rigour to meet these growing expectations can look forward to growing recurring revenue, while the others will find themselves outside of the commercial conversation.

It’s possible that we’ll look back at 2013 as the year that there was a shake-out of the cloud service vendors, with security one of the key drivers for this change.