Interview: Ian Glover, president of Crest
Image credit: Nick Smith
When cyber-security scare stories hit the headlines, they are invariably about critical national infrastructure. Yet on a lower level, penetration testing, incident response and threat intelligence are becoming part of everyday cyber-security life, as Crest president Ian Glover explains.
On the morning that Ian Glover and I meet at the Institute of Directors there is what appears to be a news item on the front page of the Daily Telegraph under the headline: ‘Cyber attackers as big a threat as terrorists’.
Closer inspection reveals that it’s not really a news story at all, but a somewhat opportunistic teaser to divert the reader to an op-ed ‘thought piece’ commissioned from the head of GCHQ, in which Jeremy Fleming discusses the defence of the “digital homeland”. It’s another instance of a national newspaper raising an issue to news status when there is nothing new to report.
“The difficulty with some of those articles,” says Glover, “is that for the sake of clarity they merge elements of cyber security.” Glover, who is president of Crest, a not-for-profit organisation set up to promote R&D in standards for professional technical information assurance practices, explains: “There are actually a number of threat categories to consider, including threats to individuals, business (particularly small businesses) as well as critical national infrastructure. What we need to do is understand the threat levels. You can add in the Internet of Things (IoT) and other systems, too, but generally we’re dealing with these categories.
“What we’re seeing now is a move to make people more aware of cyber security. There are lots of items on TV and radio describing good cyber-hygiene activities and for the individual there are a number of things that you can do to protect yourself – including Cyber Essentials [a government-backed scheme] – most of which mirror what you’d do to protect yourself offline. So to have this in the media is good.”
SMEs (small to medium enterprises), Glover says, “will have their own firewalls, monitoring and assessment of what they might do in terms of virus management or malware”. Yet the problem here is the attacks are increasing in a context of businesses “trying to make a living, which means some procedures that you might expect them to have in place aren’t there, while some threats that will come in future will make these measures obsolete. The idea of losing your data through some sort of ransomware attack is prevalent and is a massive business.”
In describing the idea of essential cyber management, Glover offers the analogy of high-street shops moving into malls, not just because they are “lighter and nicer”, but because “there is a security guard on the door and there is inter-communication between shops”. In the physical world, gated retail communities offer extra levels of protection. In the SME market “what we need to do is start investigating and investing in the next level of protection. We need to introduce new types of controls and move towards the shopping centre-type model where there is protection against relatively organised crime. In the digital environment, this might include a move to cloud or security-on-demand services. For the bigger enterprises with large amounts of money flowing through – such as banks and big retailers – there will be more sophisticated attacks and so you will need to do a lot more.”
Glover says threats of the future will be different, “but we’re trying to protect against ‘naïve and stupid’”, which he defines as “not thinking you’ll get money from a long-lost Nigerian cousin, simply by opening emails from people you’ve never heard of. It’s almost as basic as that.”
He warns that he is starting to see changes in the sophistication of such attacks, even at this level. “If I were a cyber criminal, I’d be making a lot of money out of this because nobody is prosecuting me and it’s a lot easier than drug trafficking and other forms of extortion. However, I’d also be reinvesting my money in a number of things. If you look at what’s out on the market, you can buy attack tools very cheaply now. You can watch internet videos that tell you how to extract money via ransomware or how to operate within a bitcoin industry to make sure your tracks are covered. There are ratings with feedback for the different types of attack tool, which is quite incredible.”
Glover believes the next generation of attacks will “use artificial intelligence and Big Data analytics”. This will no longer present itself as “emails that don’t look quite right”, but will escalate into mass targeted attacks “that will make you open emails that you wouldn’t normally”. In other words, “if I get something from my accounts department at the end of the month asking me a specific question I am expecting to see, it will look legitimate, meaning I will be more likely to open it. That is the move happening within the cyber-attack community.” He goes on to remark that to do this, attackers are using essentially the same strategies marketing companies employ to drive traffic to legitimate websites.
“If you believe the police statistics – which I have no reason to disbelieve – this is the fastest growing area of criminality.”
Cyber attacks on the individual, says Glover, “are easy to operate, the money is very good and there is a low probability of prosecution.
“At this level we’re talking about the need to employ cyber-security strategies and employ organisations to help with this. At a higher level, personal information needs to be protected, as well as financial services and intellectual property rights. At the top end, we’re talking about critical national infrastructure, where we are seeing a concerted view that there is at least vulnerability.
“For example, security systems in the banking sector are very good. Yet we need to gain an extra level of assurance, which is why we’re seeing things like CBEST intelligence-led cyber-security tests coming through. Apart from banks, there are telecommunications, water systems, aviation and space. These are the areas that organised crime will be attacking.
“Are there attacks on these elements of critical national infrastructure going on today? I think there are serious attempts to prod it with a stick. We need to look at that carefully. The problem is that if nation states are seriously talking about offensive capability, then this raises the question of whether smaller organisations should address the issue of having offensive capability, too.” Glover says that he is “really not sure” of the ethics of this at the moment.
The problem for SMEs, says Glover, is that they typically have scarce resources to allow them the luxury of “analysing their control areas in an appropriate way, which is why I think that security-on-demand will come to the fore and why we need to understand security offerings being put forward by the cloud services providers. At the moment it is very difficult, from a security perspective, to differentiate a good cloud services security provider from a bad one.”
‘The idea of losing your data through some sort of ransomware attack is prevalent and is a massive business.’
At this point, Glover draws my attention to the UK government’s IT health-check scheme, ‘Check’, which is essentially “a system for doing penetration testing. They used to run the system autonomously, putting organisations on a register to provide those services on behalf of the government.” Due to personnel changes, the government lost the ability to run those exams, causing the industry to stand back and look at the scenario.
“At the time, I was on the board of Siemens running cyber-security services, where we had a very big Check team. I was asked to provide services for banks and big manufacturing organisations using our Check membership and qualified people to do that type of work.”
Restrictions under the scheme meant there was an obligation to use a UK-domiciled organisation with personnel capable of passing government security clearance, “which doesn’t fit very well with normal procurement law or within the private sector. The industry got together and decided they would assist the government by developing the examinations so they could be run independently. Yet most importantly, we needed a company accreditation scheme that could be put into the private sector in the domestic and international markets.”
As a result, Crest came into being to provide access to “skilled, knowledgeable and competent” individuals. In order to do that, “we accredit organisations. We audit their processes and procedures and make sure they are fit for purpose in the market within which they operate, that they protect client information and have appropriate methodologies. We accredit companies in penetration testing, cyber-security incident response, threat intelligence and very soon we’ll be launching a service looking at SOCs (secure operation centres).”
Glover says that Crest now has in the order of 100 organisations on its books, “the majority of which are in the UK. Yet we are seeing markets in south-east Asia and the US growing and we’ve always had a good relationship with Australia.” Tied into company accreditation, there are also professional qualifications in penetration testing, incident response and threat intelligence. To gain these, individuals typically need about 1,800 hours experience on top of a Master’s degree to pass the basic exams, moving up to 6,000 hours, followed by 10,000, which is roughly the equivalent of five years “regular and frequent experience of doing this type of work. We don’t have the concept of professional development after that. We just re-examine people every three years from there. The exams are hard.”
This combination of professional-level qualification with company accreditation “is what Crest operates as a scheme. We assist the Bank of England on their CBEST scheme and we assist companies with specialist ‘red team’ type operations to assist with their penetration testing. We do the same for the telecoms industry in the UK, the Hong Kong Monetary Authority, the Monetary Authority of Singapore and so on. What we are doing is gradually extending those schemes into areas of critical national infrastructure.”
Glover says this is all part of his work in “professionalising people’s attitude towards cyber security”. He stresses that he doesn’t work in cyber-crime countermeasures, rather repositioning strategies for managing threat.
“If you look at company accreditation and the certification of individuals, this is tied into codes of conduct which are enforceable. If we were to remove a company from our register, that means they won’t be able to work for the Bank of England and so on. There is a big impact on an organisation’s ability to trade. We’ve just launched TBEST for the telecoms sector, which means that if you are removed from the register, you’ll probably not be able to work in telecoms at a critical national infrastructure level.
“We have a back-to-back agreement with GCHQ under their Check scheme, which means we’d have to let them know if we had removed a company. We’d have to let the National Security Agency (NSA) know. On an individual level it isn’t quite a licence to operate, but if we remove someone it will take out their ability to operate in various sectors. That element of certification with meaningful and enforceable codes is an indication of a professional institution.”
For organisations that have yet to address their cyber security seriously, Glover – who has been “doing this kind of work for 40 years” – has these words. “The landscape is changing quite dramatically. For the first 35 years of my career nobody had any idea of what I did for a living.” Even today, he says, most people have no more than an inkling of the significance of cyber security, but “there is a greater level of awareness and a feeling that perhaps they might need to do something about it”.
However, things such as the imminent GDPR (General Data Protection Regulation) are prompting organisations at board level to think about their risk profile and consider what level of protection they need, says Glover. “Is it basic cyber-hygiene through Cyber Essentials? Or is it something more in terms of cyber-penetration testing tied into an information security management system under ISO 27001? These are the types of questions that should be asked to make sure you’re doing what needs to be done.”