David Ferbrache, Global Head of Cyber Futures, KPMG, talks about what goes into creating a robust framework to prevent cyber security attacksOpens a new window in this candid Tech Talk Interview with Toolbox. David highlights why cyber security is a significant challenge in the wake of fake media coverage. He addresses what cyber security professionals and CTOs can do to build security controls around global privacy laws.
David has spent 30 years working in cyber security with several governments, law enforcement agencies, and IT companies. In his current role at KPMG, David is responsible for their cyber security arm. He guides global organizations in transforming their security, privacy, and continuity controls. Toolbox caught up with David to gain his insights on global securityOpens a new window , privacy legislation and data breach protocols in a post-GDPR world.
David also answers questions on:
- How does social engineering pose a challenge for cyber security professionals?
- What are the tools and infrastructure required to detect and take down inappropriate content?
- What role does the Cloud play in managing security?
Key takeaways from this Tech Talk interview on cyber-attack prevention plan:
- Tips for cybersecurity professionals to defend against ‘Magecart’ attacks
- Best practices to consider for initial coin offering (ICO)
- Trends to follow in cyber security for 2020
Here’s what David shares on how to prevent cyber-attacks:
David, to set the stage, tell us about your career path so far and what your role at KPMG entails.
I have been in cyber security for over 30 years, long before we called it that. I started in 1986 researching computer viruses, of which there were only a few dozen at the time, before joining the UK’s Defence Research Agency to research IT vulnerabilities. In the years that followed I set up government penetration testing teams, carried out national infrastructure reviews, ran the first UK/US cyber wargame, helped write the first UK national cyber security strategy and set up many of the Ministry of Defence’s cyber security structures as their Head of Cyber and Space. After joining KPMG 6 years ago, I was their CTO for Cyber in the UK firm, before becoming their Global Head of Cyber Futures. I spend my time looking at the cyber security implications of emerging technology, driving their innovation programme and helping prepare for the future. Good fun but challenging as well.
Learn More: How does Blockchain Technology Impact Cyber Security?Opens a new window
In your opinion, what are the three challenges cybersecurity professionals will face in the wake of the proliferation of fake news and the growing risks around social engineering?
Social engineering attacks are becoming more sophisticated and targeted. We can expect to see criminal groups make use of AI to create custom spear phishing, to defeat security measures (we already see this with Captchas), and perhaps even to undertake social engineering. In response we need to focus on user education and awareness, block the most obvious phishing campaigns and help users’ reach judgements on the trustworthiness of emails and links. A key benefit of running a simulated phishing campaign is that it can increase the number of users reporting phishing attacks, which in turn helps reduce the time taken to detect targeted phishing. We also need to work more closely with tech providers and law enforcement to disrupt and tear down the infrastructure used by organised crime to run these campaigns, imposing a cost on the criminal groups. We may see battling AIs as our security AIs detect and block criminal AIs.
There is a mindset issue here as well. Perhaps it is time to stop treating users as the weakest link in our security, and ask ourselves whether our security systems are simple, usable and unobtrusive. Do we treat them as one of our best sensors, helping users report their suspicions easily and allow us to pick up on the smaller scale and more targeted social engineering campaigns?
There is a lack of consensus on cyber law across the globe. What advice would you give Chief Technology Officers (CTO) for creating frameworks to address cyber security concerns in keeping with global laws?
Having a coherent internal view of security controls, ideally with continuous monitoring, provides a single version of the truth from which different dashboards/viewpoints can be built. In many cases the underlying security and privacy controls are common building blocks, but the policies around the operation of these controls vary. For example, it is increasingly important to manage the meta-data around sensitive information be it market sensitive or personal. This forms a key part of the access controls to that information, but also is the basis of decisions on the storage, processing and transmission of that information within an increasing complex framework of global privacy laws. For their part regulators are also looking for increasing levels of assurance around security controls, often adopting different reporting frameworks and obligations.
I’d also encourage CTOs to think about building forecasting into their security compliance models. Five years ago, there were very few regulatory frameworks directly addressing security and privacy controls. Looking ahead, this will change and change quickly. It’s important for firms to have a forward-facing view of global security and privacy legislation. What’s on the horizon? What does it mean for our infrastructure and our data handling? How do we demonstrate our compliance?
You once said, “The battle for cyber space isn’t just about disruption of infrastructure, although that will be a concern for many nationsOpens a new window .†What are your thoughts on building the tools and infrastructure required to detect and take down inappropriate content on the various public internet platforms?
The major social media platforms are now being driven by regulatory and public scrutiny to scale up their investment in inappropriate content detection, such as Facebook’s recruitment of 20,000 on-line content moderators. The manual review model is unsustainable given the volume of content, driving a requirement for AI to be applied to content review. This is inevitable and despite teething troubles, AI moderated content review will become commonplace. The debates on which materials contribute to on-line harm continues, and we can expect to see regulators being more directive in this space. Separately, cyber defenders are building out active defence models (such as the UK National Cyber Security Centre) designed to block malicious content and accelerate the take-down of criminal botnet infrastructure. We can expect to see an increasingly rapid cycle of automated content (and infrastructure) creation and takedown, as States and organized crime battle on-line, this will of course cause repercussions as legitimate content becomes collateral damage.
Learn More: Can Robotic Process Automation Boost Revenue? Q&A with Richard French of KryonOpens a new window
How do you see adoption of Cloud changing the way businesses manage security?
For me the big advantages of cloud come with IaaS and the ability to consistently implement security policies and controls, with an integrated set of virtualized security devices, an increasingly sophisticated set of monitoring heuristics and an ability undertake continuous controls monitoring. Being able to extend that environment to manage on-prem and cloud environments is the future as we move to hybrid cloud. There are some challenges between cloud providers establishing a closed ecosystem vs. allowing open marketplace for innovation and third-party solutions. Now I see a risk of disruption in the established security markets as cloud providers become dominant, we already see that in malware protection, but I expect that to extend to SIEM solutions over time.
Alongside these changes we are also seeing clients wrestle with the implications of the shared responsibility model for cloud security, working to restructure their security teams while simultaneously accepting that the cloud provider will shoulder responsibility for technical controls. This requires clarity on the role which will remain with a client, namely: identity and access policies, information handling policies, risk and compliance, and of course ultimately in the worst-case incident, crisis management. We are also seeing a painful change in culture to embed security principles into DevOps and security testing into continuous integration/delivery; a very different world to managing the security of on-prem legacy systems.
Learn More: AI’s Growing Role in Cyber Security – And Breaching ItOpens a new window
What framework do you use for cryptocurrency management at KPMG? What are few initial coin offering (ICO) best practices to consider?
When we advise clients we use our blockchain security and risk framework which draws on many of the well-established security and privacy principles which apply to the protection of entities involved in crypto currency including individuals with their own private wallets, on-line wallets and currency exchanges, but then goes further to look at 10 separate areas of risk including topics such as: crypto key management and tokenization, chain permission management, chain defence, consensus mechanisms, scalability and performance.
ICOs remain a relatively recent phenomena and as a result regulatory practices are still developing across many jurisdictions. A major regulatory concern can be the potential for fraud including the operation of Ponzi style schemes such as OneCoin along with various “pump and dump†scams which hype the new offering. Even if the ICO is legitimate there are concerns over the potential laundering of “dirty†money in existing crypto currencies requiring caution over compliance with anti-money laundering legislation, and of course the security of the underlying crypto currency itself which is likely to attract considerable unwanted attention during the launch.
In 2018, cyber-attacks known as ‘Magecart’ attacks took place against major e-commerce websites. What are your top three tips for cybersecurity professionals to defend against such attacks?
These attacks tell us a few things. Firstly, secure your content management system for any websites or portals and test that security. Secondly, monitor your on-line presence to be certain that the integrity of your websites (and their supporting domain naming servers) is maintained. Lastly, make sure your organisation exercises this scenario including processes for notification of customers and co-ordination with the card issuers and schemes if the worst case does happen. In a post GDPR world the fines for a major breach of personal data from website skimming can be quite eye watering; placing renewed attention on privacy and customer trust.
Tell us about the upcoming projects in cybersecurity at KPMG that you are excited about.
One of the challenges we have been working on with Microsoft is digital risk modelling. We’re building out an integrated platform which allows us use data analytics to identify vulnerabilities and control weaknesses in business processes, drawing insights together across a range of GRC tools with a common data model. It allows us to link threats to attack paths to relevant controls, to form a view on vulnerability, and to help prioritise where action and investment is required. We can produce a range of dashboards and viewpoints, even moving clients towards the quantification of cyber risk. For me, getting this right means that we are well positioned to help clients move towards continuous controls monitoring and reporting. It also means we can demonstrate to clients the business consequences of cyber security issues.
Which trends are you tracking in this space as we approach 2020?
Quite a broad set now. The growth of hybrid cloud offerings along with cloud providers offering an increasingly rich set of security components including SIEM, SOAR and cyber threat intelligence offerings. There’s a shift towards continuous controls monitoring and testing and reporting to regulators. The move of third-party assurance to a utility model and the adoption of risk scoring services. The maturing of the cyber insurance market and the risk modelling which underpins the market. The rise of conversational bots interacting directly with people and the need for security/trust frameworks around such AIs. The moves around consumer protection related to IoT as governments debate the need for basic security embedded into such devices. We have been working with the NSPCC to look at the specific child protection issues around IoT devices helping ensure a safe environment for our children. On that topic we can expect greater interventions around internet content and concerns over online harms. The continued development of active defence techniques aimed at rapid takedown of organised crime infrastructure. The proliferation of offensive cyber capabilities across nation states, and what that means for our critical national infrastructure with growing regulatory concerns over operational resilience and systemic risk. A continued breakup and balkanization of the internet. And cyber security continues to evolve and remains the fascinating subject it has been for over 30 years for me.
Neha: Thank you, David, for sharing your invaluable insights into how companies can build robust frameworks against cyber security attacks. We hope to talk to you again soon.
About David FerbracheOpens a new window :
David Ferbrache is the global head of cyber futures for KPMG. As part of a portfolio career, he helps KPMG explore the future of cyber security, develop viewpoints on the changes ahead, prepare to deal with the cyber security risks around emergency technology, and build the alliances and partnerships for the future. David was previously the CTO for the Cyber team in the UK. David has spent 30 year in cyber security spending many of those with the UK Ministry of Defense where he was the Head of Cyber and Space. Over his career he has set up penetration testing teams, run national infrastructure reviews, run UK/US cyber wargames, developed national cyber policy, pioneered cyber security in Defense, setup innovation centers and established cyber security research programs. He also chairs the Scottish Government’s national cyber resilience leaders’ board and is a reservist in the British Army. He was awarded an OBE for his contribution to national security post 9-11 and was recently awarded cyber security personality of the year in the national cyber security awards.
About KPMGOpens a new window :
KPMG Cyber Security assists global organizations in transforming their security, privacy, and continuity controls into business-enabling platforms while maintaining the confidentiality, integrity, and availability of critical business functions. The KPMG Cyber Security approach strategically aligns with clients’ business priorities and compliance needs.
About Tech Talk:
Tech Talk is a Toolbox Interview Series with notable CTOs from around the world. Join us to share your insights and research on where technology and data are heading in the future. This interview series focuses on integrated solutions, research and best practices in the day-to-day work of the tech world.
What are your tips for the future of cyber security? Share your views and opinions with us on TwitterOpens a new window , FacebookOpens a new window , and LinkedInOpens a new window . We’re always listening.