Security Insights

Over the last few years, security professionals have become increasingly concerned about where software, and software components, come from.

A growing number of significant security breaches have been caused by vulnerabilities in the software supply chain.

But should we now start to look beyond just software, and look at data too?

Jon Geater thinks we should. The keynote speaker at this year’s CRESTCon Europe, Jon is co-founder at RKVST and co-chair if the IETF’s supply chain integrity, transparency and trust working group.

Here, he discusses with editor Stephen Pritchard how we need to go beyond just software bills of materials and start to look at documents and data too, if we are to prevent disruption to the business.

Any system that is connected to the public internet is at risk of cyber attack. And any system that connects to a network or other system connected to the internet, is also at risk.

This poses dilemmas for operators of critical infrastructure.  Devices and applications developed to run on standalone infrastructure, often with specialist operating systems, are not designed to work safely online.

How, then, can organisations operating critical national infrastructure, protect their systems from cyber attack and still benefit from connectivity to the outside world, as well as the economies of off the shelf technology?

Our guests today are both experts in protecting health care systems.

Jonathan Langer is COO Claroty Medigate, which focuses on securing the Internet of Things in health care.

And Adam Zoller is cyber security lead for Providence, a system of compassionate healthcare providers on the west coast of the United States.

They joined editor Stephen Pritchard to discuss why attackers target CNI and health care technology, where the weak spots lie, and how organisations can improve their security without disrupting vital business operations.

ISACA today is one of the principal organisations providing accreditation and skills training for infosecurity professionals.

But that's not all it does. The organisation is involved in standards as well as developing developing tools for secure and software development and driving areas such as digital trust.

That puts ISACA in a very good position to take the pulse of the cybersecurity industry. Our guest for this episode is Chris Dimitriadis, who is their Chief Strategy Officer.

In a wide ranging interview, he discusses the growth of nation state threats and cybercrime, the industry’s focus on ransomware, and how organisations need to pay more attention to response and recovery from a cyber attack. We also cover the need for better collaboration between firms, and government to counter cyber threats.

And, of course, we look at industry’s on-going skills crisis.

Nation state attacks are now an unavoidable part of the cybersecurity landscape.

And increasingly, these attacks are either targeting commercial organisations, to gather intelligence, steal intellectual property or simply for political or diplomatic leverage.

Even if there is no specific hostile intent, businesses and public sector bodies risk being caught in the spill over from attacks aimed elsewhere.

Can organisations defend themselves against an attacker with the resources of a nation state behind them? And how does the nation-state threat rank against other risks?

Our guest this week is Rafe Pilling, principal security researcher at Secureworks’ counter threat unit. He is also a specialist in nation state attacks, with a focus on Iran and the Middle East.

In this episode he breaks down the modus operandi of attacks originating from, and targeting, that region. But, he suggests, there are defensive measures organisations can take that will protect against both nation state attacks and other threats, such as ransomware.

Interview by Stephen Pritchard

The cybersecurity industry has long complained of a skills shortage.

But is the industry itself at least partially to blame?

From recruitment processes to training, development and retention, and a lack of diversity, there is certainly work to be done. And with no let up in cyber threats, and a growing demand for skilled staff, this needs to be tackled with urgency.

Our guests this week are setting out to do that. Sally Walker is a former director of cybersecurity at GCHQ. She is now neurodiversity champion at WithYouWithMe, a social impact company looking to change the way we hire staff across the technology industry. And she is joined by former police officer Jim Fox, now a security consultant at Capita.

Is data privacy still something businesses need to worry about?

With financial pressures, rising inflation, the continuing aftermath of the pandemic and the ongoing challenge of recruiting skilled people – especially for technical roles – it would be understandable, if privacy had slipped down the agenda.

Our guest this week, though, argues that it is wrong to overlook privacy concerns and data protection.

Camilla Winlo is head of data privacy at Gemserv. She points to new legislation, the need to use data to create competitive advantage and even the growth of AI as reasons to pay attention to data privacy.

So should it still be a board level concern?

Over the last few months, AI has attracted even more attention than usual. Much of this is driven by OpenAI's ChatGPT tool, which allows anyone to create convincing, "human sounding" text from just a web browser.

But GPT-3 and generative AI can be misused, and could make it easier to carry out cybercrime or create fake news. Although ChatGPT has safeguards built in, the tools to create natural language text are becoming cheaper.

Security researchers at Finnish firm WithSecure put this to the test, in an EU supported project. They used a range of scenarios to see how "prompt engineering" could be misused, and how we can guard against it.

Our guest is WithSecure's intelligence researcher, Andy Patel. The full research report is also available for download.

IT security and business resilience are often viewed as separate disciplines. But both are now squarely board-level issues.

The challenge for IT directors and cybersecurity leaders, though, is that teams, technologies and practices exist in their own silos. This makes it harder for a business to defend itself, and harder for it to recover if defences are breached.

Our guest this week is Elizabeth Green. She is European advisory and cyber leader at Dell Technologies. Her background is in data and data protection – joining Dell when it acquired storage vendor EMC – so she has a deep understanding of both the need to protect data, as well as the need to link data protection and recovery.

She is also an advocate for greater diversity in cybersecurity and the wider tech industry – without that diversity, organisations will always be more vulnerable than they should be.

It’s often said that the cybersecurity and data privacy worlds rely too much on checkbox compliance exercises – and fail to get to grips with the real issues that put data and systems at risk.

But how true is that? Organisations face both increasing threats and increasing regulatory burdens. And often, CISOs and other business leaders lack a true picture of good practice.

This has prompted security researchers at Panaseer to develop a series of real-world security benchmarks.

The research came up with 18 steps, that look more deeply at security standards and controls. The paper also sheds light on why some organisations still fail to carry out basic cyber hygiene measures, and how businesses can improve.

We asked the report’s author, Charlotte Jupp, to explain the ideas behind the research.

In this episode we look at the continuing threats to critical national infrastructure, or CNI.

National infrastructure is under attack from both nation state actors, and from ransomware gangs and other crime groups.

And, as the war in Ukraine has shown, energy and power generation is especially vulnerable. Are we set to see more politically motivated cyber attacks, and are we likely to see more use of cyber warfare, alone or in combination with conventional military tactics?

Our guest this week is Jon Moran, a law enforcement veteran and former incident response consultant. He is now technical director at Tufin, where he is a close watcher of CNI and the risks it faces.