Tackling cyber crime: four Approaches examined
This article is from the CW Journal archive.
The Security SIG likes to start with an unconventional view of world, and use that to form an agenda which is nothing like those predictable talking shops that you'll have attended this year. In planning our recent event we considered the macroeconomic trends in the crime industry. Our hypothesis was that recessionary pressures should lead to consolidation and, ultimately, to disruptive innovation. Did it happen that way?
We looked at four types of response to market change, to see which strategy was most likely to succeed in countering cyber crime innovation.
The most popular business strategy for dealing with any disruptive change is denial. So, we invited Dave Palmer of Darktrace to bring us news from the frontline of the cyber security wars and shake our complacency with tales of how quickly the threat is evolving. In a wide-ranging talk, we heard about new attacks on physical assets, intellectual property and business practices. I was particularly interested to hear how targeted emails ("spear phishing" attacks) are starting to use artificial intelligence to automate messages using natural language and small truths gleaned from the public-domain to win the reader’s confidence ahead of a malicious call to action.
GET INVOLVED WITH THE CW JOURNAL & OTHER CW ACTIVITIES |
Crime is a law and order problem, and governments can mitigate the effects with new regulations, backed up by robust policing. It was great to hear from the Met's Tim Court about successful investigations and prosecutions for cyber fraud. He moved the agenda beyond technology, with a philosophical aside about the psychology of crime: crime is a people issue, and it stops when individual criminals start to fear the impact of enforcement and choose legal ways to make their money.
The nature of IT fraud is essentially asymmetric, with complete coverage required for defence, but a small weakness being a sufficient to allow entry. Is the answer to increase the pace of innovation and to respond to threats more quickly? Fraser Kyne of Bromium talked us through the categories of recent end-point attacks, including browser vulnerabilities, ransomware, and a growing awareness of kernel exploits. He argued for defence in depth, using his own company's product as an example of micro-scale segmentation to contain security risks.
If security has a business value and an associated cost, will the market place work itself out? Nick Kingsbury is a venture capitalist with Kingsbury Ventures, and he guided us through a set of key questions for the board of directors of any company. He wanted to hear answers about the business impact of a security breach; the risk posed by third-party suppliers; and critically about the strength of the relationship between the Chief Information Security Officer and the board. I was struck by his point that traditional business practices require independent experts to audit financial accounts, but there's no formal requirement to audit the processes used to secure a company's intellectual property assets.
Cyber crime & fraud was a new addition to the UK Crime Survey and came in with a whopping number of estimated incidents in 2016
The final presentation was The Home Office's Jane Cannon, talking about her plans to establish a Cambridge office to facilitate the relationship between UK government and commercial solution providers, the Joint Security and Resilience Centre.
And we wrapped up with an open floor discussion of topics raised during the day. What's next for the Security SIG? Well, we'd like to hear from you about your agenda for security.
Tim sees Cambridge Wireless as a way to build the network of relationships that drive business growth and a better society for us all. Tim works to develop communications technologies from their earliest beginnings to mass market adoption, including WiFi, Bluetooth and cellular. He works as an engineering manager, with roles that have included programme management, product management, and business development.