Infosec 2014: Threat knowledge is key to cyber security, say experts

Business should improve awareness of cyber risks to stay ahead of criminals, say experts

Business should improve awareness of current cyber risks and threats to stay ahead of cyber criminals, security and law enforcement professionals have told delegates at Infosecurity Europe 2014 in London.

“While security technology will help, a contemporary and dynamic awareness of real-world risks and threats is very important,” said Lee Miles, deputy head of the UK’s National Cyber Crime Unit (NCCU).

The NCCU, which underpins all operations under the new National Crime Agency, currently tracks about 320 cyber criminal forums to keep up to speed with cyber and cyber-assisted criminal activity.

“These are trusted places in cyberspace where criminals come together, providing one of the best streams of intelligence on criminal business models,” said Miles.

For this reason, businesses should get involved in threat intelligence forums across their industry, said the FBI’s Michael Driscoll, assistant legal attaché to the US Embassy in London.

“If businesses fail to share information with others in the same business sector, criminal cyber attack methods will continue to be successful,” he said.

Miles said the UK’s Cyber Information Sharing Partnership (CISP), now part of the new national CERT-UK, is an “excellent route” into sharing intelligence and learning about real-world threats.  

Independent security analyst Graham Cluley said intelligence about the threat landscape should be supplemented with intelligence about a company’s own flaws and weaknesses.

“Hack yourself to find out what your technical and human vulnerabilities are before the bad guys do it, so you can close those gaps before you are compromised,” he said.

In terms of security controls, Cluley said businesses should consider encrypting all data to ensure that even if they are breached, no personal or commercially sensitive data will be lost.

More on cyber crime

Driscoll said organisations should take a step back and look at what they are doing and why. “Organisations should ask themselves if they really need all their data to be accessible online,” he said.

They should also look at how they are sharing data, and what contingency measures they have in place for dealing with the inevitable attacks when they occur.

Miles said that at the very least, UK businesses should follow the 10 steps to cyber security guide published by the Department for Business Innovation and Skills.

“The point has been made by GCHQ head Iain Lobban that most threats can be eliminated by simply doing good, basic security well,” he said.

Miles said firms should also ensure cyber threats are on the agenda at every board meeting, that they are taken seriously at that level, and that board members know and understand the risk.

All members of the panel emphasised the need for international and cross-industry collaboration over cyber security.

For this reason, the FBI and the NCA are partnering with all the big internet firms and law enforcement agencies around the world.

“Unless we work with key partners, we realise that we cannot be effective,” said Miles.

One of the biggest challenges to collaboration is concerns about commercially sensitive information, but Miles said there is a willingness among tech companies to work with law enforcement organisations.

One of the biggest challenges, and one of the biggest changes, is the move to an as-a-service model among cyber criminals.

This has significantly lowered the barriers to entry because anyone who is willing to make a relatively modest investment in time and money can become a cyber criminal.

Driscoll added: “There is no longer the need to have technical knowledge. The availability of attack tools and services in criminals' forums means it is all too easy to become a cyber criminal for financial gain.”

Miles said this new services-enabled era of cyber criminal collaboration means that an ever-increasing number of people are becoming involved in cyber criminal activity.

Read more on Hackers and cybercrime prevention