Joseph Rose is a Senior Security Architect for a large financial institution. Johanna Hamilton AMBCS asks him about the challenges of cyber security for the decade and why humans pose more problems than quantum.

The very nature of inter-continental financial business is that we’re always plugged into disparate bourses and clearing houses. In order to keep each part of the process safe, it’s essential to take a multi-faceted approach to security.

In the past, data breaches have gone undetected for months, sometimes years. Do you think new systems are better able to detect unauthorised access?

When something new is connected to the network, there is a device security handshake using a network admission control protocol called 802.1x. Some tools have integrations to vulnerability management tools, to check security posture. So, if somebody connected a new server up, which might be just building the server for the first time, it could trigger a vulnerability management scan. If any severe vulnerabilities are found on that end point, then the network access control tool can actually flip the VLAN membership on the port, effectively disconnecting the server from the network so that it can't provide a weak point affecting overall security.

Do you think there will be a move more towards disconnection to increase system protection?

In financial services, there is always a balance between ultimate security and ensuring financial transactions can always take place. A lot of these problems, whether it's an internal system threatening another, an insider threat to multiple systems, somebody trying to impersonate an employee, or moving laterally across the network - all these things should always be blocked. However, a fail-close intrusion protection system might result in lost financial transactions, which, obviously isn’t acceptable.

How do you feel about third-party solutions taking care of issues such as expiring certificates?

Companies like Venafi are well regarded in the sector and their solutions are widely used. They have a written-up case study in NIST SP 1800-16 explaining how to link it up to certificate servers and also to hardware security modules for certificate lifecycle management.

Also helpful for certificate management is to enrol systems with a registration authority. Companies that have a mobile device management system like Xenmobile or Airwatch, will configure phones or iPads to present a certificate in order to connect to a backend network, so that an application on the mobile phone can retrieve internal data. The phone also enrols with a registration authority, so that it can regularly receive new identity certificates. It's probably used for non-business purposes as well as work and might be used in risky or public locations where there could be shoulder-surfing.

Based on that, you don't want the mobile device, managed or unmanaged, to have a long-lived security certificate that it uses to authenticate. The registration authority can grant a new certificate, typically weekly, but then if the device is compromised, the enrolment certificate can be revoked.

Security seems to be moving more towards multifactor authentication. Do you think passwords will be phased out altogether?

I believe MFA should be used at all levels, not just for remote access. MFA should also be used for the desktop to replace the password itself with a more secure factor such as your fingerprint or your face. We’re starting to see the use of biometrics more widely instead of a password - this is especially true of the banks adopting ‘passwordless’ authentication.

There's little commonsense things that could be done as well, so when a user joins a company, they might have given a default password which will satisfy the company's password policy in terms of number of characters, upper-case, lower-case characters, numbers or symbols, that kind of thing. But, it's also increasingly important that it is not a real word. The password should be randomised, or a passphrase combining multiple words.

If password1 comes up as the default, human nature will often mean it’s changed to password2. The problem is then that it leads to anyone with a reasonable amount of talent as a hacker, ethical or unethical, to do something called a dictionary attack - they will use known default password words and they will try and add things to those words and see whether or not they can get through that initial layer of security.

If, however, if you create a user's password and it's got an eighteen-character completely random password, there's no way the user is going to remember that so they're going to change it. It may end up with some familiar words like family member names, but if it's a combination words and some numbers or other modifiers, the dictionary attack won't work anymore. The Centre for Internet Security's guidelines recommend that a password must be at least 14 characters long.

How does your company deal with pen-testing?

We have regular security testing to validate company security posture. After the testing, we hold meetings to analyse what was found, the steps taken during the test and the outcome. In the wider community, this new breed of hackers is certainly well paid. Traditional hackers might have broken into systems to steal information. However, now the larger companies such as banks are offering bounties to hackers to see if they can break into a system. If they can go to the vendor, with evidence of what they did and what vulnerabilities were exploited, the company can then patch the problem to stop more nefarious actors doing something similar.

Does the advent of cloud make things more unsafe?

It depends on how it's set up. Cloud access security brokers that control more than just an IP address whitelist, are more context aware. We can access an app from our sites, but if somebody is trying to get onto it at 9pm at night, when everyone else has gone home, then that’s an anomaly and we might have an issue with that. We would need to understand what that's all about and raise that as an anomaly. Cloud access security brokers (CASB) can have user behavioural analytic aspects to what it's doing as well, so it can report on anomalous behaviour.

This is important for tracking insider threat – the person doesn't want to be seen conducting their inquiries or their attacks or anything like that, so it's something they might try and do in the very early morning or in the evening. That’s assuming there's nobody telling them they have to leave the building. In the defence sector, they have a strong policy on lone working. If two of you are in the office and the other is leaving, you have to go too.

Do you think hot-desking could make a system less or more secure?

Hotdesking is becoming increasingly common in financial services, especially in large cities like London, simply because there aren't enough desks for everybody and there is more remote working. It’s also assumed that a desktop PC will be as stateless as possible. So, there is no data to be kept there. Even if there is a desktop, it should ideally be something you boot into and then the data is somewhere else, either on a file server, the data centre or increasingly, the Cloud.

It’s got to be stateless. Even though people will say ‘I've got an encrypted laptop,’ you're pushing the issue down the chain a little bit. If you have an encrypted laptop using the built-in Windows bit-locker for instance, that supposedly uses a chip on the motherboard to store the key, which is used to decrypt what is stored on the laptop. However, that's been cracked now, so it's no longer secure - so you need some sort of centrally managed laptop encryption.

How do you think quantum computing will change how we compute in the future and impact on cyber security?

The big deal with the quantum computer, is that it's able to do a lot of things in parallel. The RSA algorithm for instance, is two prime numbers multiplied together - so, in order to work out what it is, you've got to solve two unknowns. If it's sufficiently large prime numbers to create a long key, a traditional computer is going to take years to work that out.

The theory is that within six or seven years, the researchers in this area think that some of the currently popular algorithms could be cracked and will no longer be safe. I don't think it's a problem for right now, but what is an immediate problem is for companies to be aware that they may have multiple public key infrastructure (PKI) or certificate services infrastructures in their company.

Tools exist to scan the network for certificates that have been issued, their security posture and which PKI signed these. My advice for 2020 is to use a Qualys Certificate Security Assessment to build up a picture of how bad things might be in your network and take remediation steps as soon as possible.


Joseph Rose will be speaking at the Qualys Security Conference at The Royal Institute of British Architects on 16 January 2020.