6 innovative technologies helping win the war against hackers

Insights - July 2019

 

 

The war between data protectors and hackers seems to be as long and arduous as anything faced by the protagonists of movie epics like Lord of the Rings or Star Wars. As soon as the good guys counter one form of malicious intrusion, the dark side regroups and comes back with another malevolent technique. Can the odds ever be totally tipped in favour of those brave infosec battalions? You might be surprised to hear that the answer is “yes.” In this article, we’ll look at six ways that emerging technologies could be able to solve data protection issues.

 

 

1) Hardware authentication

authentification

It’s a well-known fact that most of us choose inadequately protected passwords and usernames for login credentials. This includes everything from email to social media and even personal banking – and the consequences can be catastrophic. We’re now well into the digital era and still struggling to explain the importance of unguessable/uncrackable password and username combinations. This is proof positive that more secure forms of authentication are needed, particularly when the tools used by hackers and crackers are becoming increasingly sophisticated.

The good news is that the tech giant Intel has arrived at a solution: to “bake” authentication protocols into the hardware of the user. Intel’s new Authenticate solution is implemented into its new Core vPro processor. It’s capable of combining several hardware-enhanced authentication factors at once to validate the identity of the user.

In the past, Intel has dedicated portions of its chipsets to security functioning as part of authentication processes, but its latest development takes things to a whole new level. It’s based on the premise that unbreakable authentication requires not just a username and a password, but a token, too. Ultimately, authentication with vPro will breakdown into these three criteria:

• Who you are (in the form of your username)
• What you know (your password)
• What you have (your device with hardware authentication)

Hardware authentication is of particular importance now that we, as a society, rely increasingly on the Internet of Things (IoT). Because IoT devices can control everything from lighting and heating in the home to production mechanisms in the business place, it is imperative that the network prevents persons or devices from gaining access to something they shouldn’t.

However, for the time being, the most immediate application for hardware authentication remains in traditional IT environments – most notably desktop computers, laptops and mobiles which use Intel chipsets.

 

 

2) Behavioural analytics

behavioural analytics

As soon as a person’s password and username have been compromised, whoever holds the information can easily step into a network and get up to all sorts of cyber mischief. However, user behaviour monitoring can go a long way towards highlighting when an account has been compromised. Just as banks flag up transactions which seem out of character for the customer, so too can IT bosses with user behaviour analytics, or UBA.

UBA is a form of big data analysis which is used to pinpoint and highlight out-of-character behaviour by the user. It’s a relatively new security measure – but an important one which addresses a huge blind spot in network safety. When you think about it, it makes perfect sense: once an attacker compromises the credentials of a legitimate user and gains unauthorised entry to a system, what happens next? Is it possible to differentiate between the activity of a legitimate user and a hacker who has compromised an account before looking for other targets? With UBA, the answer is “yes”.

Essentially, UBA monitors activity and points out any movement that doesn’t fit into a user’s normal daily networking tasks – helping administrators to close in on attacks before anything malicious happens. It essentially exposes the middle link of the hacker chain – in between the initial penetration and the exfiltration of any sensitive data. Until now, the middle links (lateral movement and snooping around files) have never been easily visible to infosec professionals, which is why the interest in user behaviour analytics is growing.

Interestingly, the comparison of a user’s past and present behaviour isn’t the only way to identify a hacker with malicious intent. Peer analysis – a form of UBA – looks at the behaviour of an individual and compares it to those operating under the same manager or the same department in a company. This can often be a key indicator that somebody is doing something they aren’t authorised to, or that somebody has externally taken control of a user account.

Of course, UBA also has its merits as a training tool. Since one of the biggest problems in any company involves employees not adhering to company policy, being able to identify those who stray from the rules before mitigating the risks with extra training can be critical when it comes to protecting the entire business.

 

 

3) Prevention of data loss

data loss

Encryption and tokenisation are key when it comes to the prevention of data loss. These techniques can help form a barrier around data, right down to field and sub-field levels. This can benefit businesses in several ways. For example:

• Attackers will be unable to monetise stolen data, even in the event of a successful breach.
• Data can be moved securely and used across the entire business network. All business analytics and processes can be performed on data even when it is in its protection form. This dramatically reduces the risk of exposure.
• Businesses can be aided greatly when it comes to data privacy compliance regulations – whether its personally identifiable information, payment card details or protected info (such as health details).

The number of records breached from businesses has grown considerably in recent years, which has been prompting an increase in security spending among SMEs. Because of the risks involved with data breaches, companies are seeing security spending as a necessity. After all, data breaches can result in fines, a huge decrease in consumer confidence and hundreds of lost hours trying to make all systems secure/repair any damage.

When it comes to data loss prevention, authentication plays a huge role. It is impossible to have good encryption without key management – and you cannot have key management without having strong authentication.

 

 

 

4) Deep learning

machine learning infosec

Deep learning combines a variety of technologies, including machine learning and artificial intelligence. Whatever you want to call it, there’s a huge degree of interest in it for infosec purposes. Just like user behaviour analytics, deep learning looks at any anomalous behaviour on a network. Ultimately, it’s important to understand where any malicious behaviour on a network comes from – and how it deviates from acceptable or legitimate use of a system, from a security perspective.

Deep learning is a valuable tool for looking deeper under the hood. When you look at activity on an enterprise network, there may be behaviour that isn’t user-triggered but is still malicious – and deep learning uses a slight adaptation of behavioural analytics to help flag-up any potential issues.

Instead of looking at user behaviour, deep learning focuses on “entities”. Recent developments in deep learning now mean that it can be used as a tool to scan entities which exist across the network at minute levels. A data centre, for example, can behave with its own patterns, in the same way that a user can. By identifying at micro and macro levels any deviation from this normal behaviour, deep learning can identify threats.

Essentially, deep learning has an ability that humans don’t – and that’s the ability to decipher between useful and malicious software in a matter of milliseconds, at line speed. The latest machine-learning technologies offer a significant advantage to infosec practitioners who want to decrease the time it takes to detect and eradicate threats.

 

 

 

5) The cloud

cloud sync info sec

Yes, we’re all familiar with the cloud by now – but it will continue to have a transformative impact on the infosec industry. As increasing numbers of organisations replace their on-premises IT solutions with cloud-based systems, this means that security protocols must evolve. Traditional on-premises techniques like firewalls, security hardware and intrusion detection are all easily transitioned to the cloud.

However, rather than businesses removing on-premises software security, they can ringfence cloud security with their own hardware system – making it doubly difficult for anyone with malicious intent to access sensitive data. With cloud-based solutions, the average small-medium enterprise can now have above-average security for their data centre.

 

 

 

 

6) Security orchestration

innovation info sec

Streamlining security processes with security orchestration can help save a lot of time and money. Security orchestration essentially connects different security tools and helps separated security systems to integrate. This automates the entire security process, or most of it at least.

On a base level, security orchestration makes sense. When you consider the volume of data generated by modern security tools, it’s only natural to want to connect each system or process with one another to help leverage automation, and actually get more value out of your processes, tools and employees.

Some would argue that the automation of security operations is no longer something that’s merely useful to have. It’s now a necessity since the management of multiple security tools has become too complex to manage manually. Furthermore, the management of such systems can be inefficient and leaves room for human error.

Let’s take, for example, a threat such as a phishing email. These can take significant time for IT teams to investigate, leaving the door open to human error while security analysts jump from system to system to check email content. The manual effort is simply too much of a risk. The good news is that security orchestration can allow for the automation of these routine investigation tasks and even execute them with much greater accuracy while leaving more time for human insight into the origins of the issue.

By implementing one or more of these solutions, your team of infosec warriors should easily be able to gain the upper hand and keep invaders out of your data. Of course, the battle is ongoing, and we daresay that the need for even more advanced technology will be upon us soon enough – but for now, may you stay safe with the above essential tips.

 

 

If you work in InfoSec, your company could be eligible for R&D Tax Relief. Get in touch now to find out more. 

R&D Tax Credits Advisors. R&D Tax Credits Experts.

 

Terms of use

  1. Initiatives, a registered trademark of F. Initiatives Limited (“we”), are committed to protecting and respecting your privacy.


What’s in these terms?

These terms tell you the rules for using our website https://www.f-initiatives.co.uk/  (our site).

Who we are and how to contact us

https://www.f-initiatives.co.uk/ is a site operated by F. Initiatives Limited (“We”). We are registered in England and Wales under company number 09899833 and have our registered office at 10 John Street, London, United Kingdom, WC1N 2EB

To contact us, please email contact@f-initiatives.uk or telephone 0207 653 1921

By using our website, you accept these terms

By using our site, you confirm that you accept these terms of use and that you agree to comply with them.

If you do not agree to these terms, you must not use our site.

We recommend that you print a copy of these terms for future reference.

There are other terms that may apply to you

These terms of use refer our Privacy Policy which you can view here.

We may make changes to these terms and our site.

We amend these terms from time to time. Every time you wish to use our site, please check these terms to ensure you understand the terms that apply at that time.

We may update and change our site from time to time to reflect changes to our products, our users’ needs and our business priorities.

Our site is made available free of charge. We do not guarantee that our site, or any content on it, will always be available or be uninterrupted. We may suspend or withdraw or restrict the availability of all or any part of our site for business and operational reasons. We will try to give you reasonable notice of any suspension or withdrawal.

Our site is only for users in the UK

Our site is directed to people residing and companies operating in the United Kingdom. We do not represent that content available on or through our site is appropriate for use in other locations.

How you may use material on our site

We are the owner or the licensee of all intellectual property rights in our site, and in the material published on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved.

You may print off one copy, and may download extracts, of any page(s) from our site for your personal use and you may draw the attention of others within your organisation to content posted on our site.

You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.

Our status as the authors of content on our site must always be acknowledged by ensuring that the words “Copyright ©F. Initiatives Limited” are clearly visible.

You must not use any part of the content on our site for commercial purposes without obtaining a licence to do so from us.

If you print off, copy or download any part of our site in breach of these terms of use, your right to use our site will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.

Reliance on information on this site

The content on our site is provided for general information only. It is not intended to amount to advice on which you should rely. You should obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site.

Although we make reasonable efforts to update the information on our site, we make no representations, warranties or guarantees, whether express or implied, that the content on our site is accurate, complete or up to date.

We are not responsible for websites we link to

Where our site contains links to other sites and resources provided by third parties, these links are provided for your information only. Such links should not be interpreted as approval by us of those linked websites or information you may obtain from them.

We have no control over the contents of those sites or resources.

Our responsibility for loss or damage suffered by you

Whether you are a consumer or a business user:

  • We do not exclude or limit in any way our liability to you where it would be unlawful to do so. This includes liability for death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors and for fraud or fraudulent misrepresentation.

  • Different limitations and exclusions of liability will apply to liability arising as a result of the supply of any services to you, which will be set out in any agreement we enter into with you.


If you are a business user:

  • We exclude all implied conditions, warranties, representations or other terms that may apply to our site or any content on it.

  • We will not be liable to you for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with:

  • use of, or inability to use, our site; or

  • use of or reliance on any content displayed on our site.

  • In particular, we will not be liable for:

  • loss of profits, sales, business, or revenue;

  • business interruption;

  • loss of anticipated savings;

  • loss of business opportunity, goodwill or reputation; or

  • any indirect or consequential loss or damage.


If you are a consumer user:

  • Please note that we only provide our site for domestic and private use. You agree not to use our site for any commercial or business purposes, and we have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.

  • If defective digital content that we have supplied, damages a device or digital content belonging to you and this is caused by our failure to use reasonable care and skill, we will either repair the damage or pay you compensation.


How we may use your personal information

We will only use your personal information as set out in our privacy policy (link to Privacy Policy page).

We are not responsible for viruses and you must not introduce them.

We do not guarantee that our site will be secure or free from bugs or viruses.

You are responsible for configuring your information technology, computer programmes and platform to access our site. You should use your own virus protection software.

You must not misuse our site by knowingly introducing viruses, trojans, worms, logic bombs or other material that is malicious or technologically harmful. You must not attempt to gain unauthorised access to our site, the server on which our site is stored or any server, computer or database connected to our site. You must not attack our site via a denial-of-service attack or a distributed denial-of service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our site will cease immediately.

Rules about linking to our site

We are very happy for you to link to any of our pages whether directly or via backlinks or to make linkless mentions provided any such link or mention is fair and legal and does not damage our reputation or take advantage of it. We would also ask that any such links or mentions use the correct spelling of our name i.e. F. Initiatives.

You must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part where none exists.

You must not establish a link to our site in any website that is not owned by you.

Our site must not be framed on any other site.

We reserve the right to withdraw these permissions without notice.

Which country’s laws apply to any disputes?

If you are a consumer, please note that these terms of use, their subject matter and their formation, are governed by English law. You and we both agree that the courts of England and Wales will have exclusive jurisdiction except that if you are a resident of Northern Ireland you may also bring proceedings in Northern Ireland, and if you are resident of Scotland, you may also bring proceedings in Scotland.

If you are a business, these terms of use, their subject matter and their formation (and any non-contractual disputes or claims) are governed by English law. We both agree to the exclusive jurisdiction of the courts of England and Wales.

 


Privacy PolicyScope

This policy applies to F. Initiatives and My R&D Claim™ which are both trading names of F. Initiatives Ltd, a company registered in England under number 09899833 whose registered office is at 10 John Street, London, United Kingdom, WC1N 2EB. The privacy policy explains how we use any personal information we collect about you when you use this website and our wider services.

What is personal data?

Personal data relates to any information about a natural person that makes you identifiable which may include (but is not limited to):

  • Names and contact information i.e. emails and telephone numbers

  • Employee numbers

  • Payroll and accounting data


What is sensitive personal data?

Sensitive personal data refers to the above but includes genetic data and biometric data.  For example:

  • Medical conditions

  • Religious or philosophical beliefs and political opinions

  • Racial or ethnic origin

  • Convictions

  • Biometric data (e.g. photo in an electronic passport)


What is a Data Controller?

For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.

The data controller is F. Initiatives Ltd, 10 John Street, London, United Kingdom, WC1N 2EB. The data protection officer is Solenne Desprez Braun, who can be contacted at F. Initiatives Ltd, Albert Buildings, 49 Queen Victoria Street, London, EC4N 4SA or on personaldata@f-initiatives.co.uk  or by calling 0207 653 1921.

Our Full Data Governance Policy can be found here.

What is a Data Processor?

A “data processor” is a person or organisation which processes personal data for the controller.

What is Data Processing?

Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.

What do we mean by Business to Business?

PLC, LTD, LLP incorporated partnerships, trusts and foundations, local authorities and government institutions.

What do we mean by Business to Consumer?

Private clients, sole traders, unincorporated partnerships, trusts and foundations.

What information do we collect about you and how?

  1. Initiatives Ltd, as a Data Controller, is bound by the requirements of the General Data Protection Regulations (GDPR).


You agree that we are entitled to obtain, use and process the information you provide to us to enable us to discharge the Services (as defined in our Letter of Engagement and supporting Schedules) and for other related purposes including;

  • Maintaining client records to comply with customer due diligence requirements

  • Carrying out identity checks in relation to you

  • Statutory returns such as Company Tax Returns and Annual Accounts

  • Legal and regulatory compliance

  • Crime prevention.


We collect information about you when you fill in any of the forms on our website i.e. sending an enquiry, signing up for a service, signing up for an event, filling in a survey, giving feedback etc. Website usage information is collected using cookies.

When submitting forms on our website we use a third-party software provider for automated data collection and processing purposes, they will not use your data for any purposes and will only hold the data in line with our policy on data retention.

Cookies are text files put on your computer to collect standard internet log information and visitor behaviour information.  This information is then used to track visitor use of the website and to create statistical reports on website activity.  For more information visit www.aboutcookies.org or www.allaboutcookies.org.

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser.  Please note in a few cases some of our website features may not function because of this.

Analytics – e.g. how visitors use our website

We use Google Analytics to store information about how visitors use our website so that we may make improvements and give visitors a better user experience.

Google Analytics is a third-party information storage system that records information about the pages you visit, the length of time you were on specific pages and the website in general, how you arrived at the site and what you clicked on when you were there. These cookies do not store any personal information about you e.g. name, address etc. and we do not share the data. You can view their privacy policy below:

Google - http://www.google.com/intl/en/policies/privacy/

IP addresses

An IP or Internet Protocol Address is a unique numerical address assigned to a computer as it logs on to the internet. F. Initiatives Ltd do not have access to any personal identifiable information and we would never seek this information. Your IP address is logged when visiting our site, but our analytic software only uses this information to track how many visitors we have from particular regions.

Internet Based Advertising

We use Linkedin, Facebook and Twitter advertising services and as such there are tracking codes installed on our website so that we can manage the effectiveness of these campaigns.  We do not store any personal data within this type of tracking.

How will we use the information about you and why?

At F. Initiatives Ltd we take your privacy seriously and will only use your personal information to provide the Services you have requested from us, detailed in your Letter of Engagement and supporting Schedules and as we have identified above.  We will only use this information subject to your instructions, data protection law and our duty of confidentiality.

For Business to Business Clients and Contacts our lawful reason for processing your personal information will be “legitimate interests”.  Under “legitimate interests” we can process your personal information if: we have a genuine and legitimate reason and we are not harming any of your rights and interests.

For Business to Consumer Clients and Contacts our lawful reason for processing your personal information will be “A contract with the individual” e.g. to supply goods and services you have requested, or to fulfil obligations under an employment contract.  This also includes steps taken at your request before entering into a contract.

We may receive personal data from you for the purposes of our money laundering checks, such as a copy of your passport.  This data will only be processed for the purposes of preventing money laundering and terrorist financing, or as otherwise permitted by law or with your express consent.

Our work for you may require us to pass your information to our third-party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing the Services to you on our behalf.  However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the Services and we have contracts in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.

We collect information on our website to process your enquiry, deal with your event registration, give advice based on survey data and improve our services.  If you agree, we will also use this information to share updates with you about our services which we believe may be of interest to you.

We will not share your information for marketing purposes with companies so that they may offer you their products and services.

Transferring your information outside of Europe

As part of the services offered to you through this website, the information which you give to us may be transferred to countries outside the European Union (“EU”). For example, some of our third-party providers may be located outside of the EU.  Where this is the case we will take steps to make sure the right security measures are taken so that your privacy rights continue to be protected as outlined in this policy.  By submitting your personal data, you’re agreeing to this transfer, storing or processing.  Where our third-party supplies are in the US we have ensured that their services fall under the “Privacy Shield” whereby participating companies are deemed to have adequate protection and therefore facilitate the transfer of information from the EU to the US.

If you use our services while you are outside the EU, your information may be transferred outside the EU to give you those services.

Security precautions in place about data collected

When you give us personal information, we take steps to make sure that it’s treated securely. Any sensitive information (such as credit or debit card details) is encrypted and protected with the following software 128 Bit encryption on SSL. When you are on a secure page, a lock icon will appear on the bottom of web browsers such as Microsoft Internet Explorer.

Non-sensitive details (your email address etc.) are sent normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Profiling

We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of extra information about you when it is available from external sources to help us do this effectively. We may also use your personal information to detect and cut fraud and credit risk.

Marketing

We would like to send you information about our services which may be of interest to you.  If you have consented to receive marketing, you may opt out at any point as set out below.

You have a right at any time to stop us from contacting you for marketing purposes.  To opt out please email: contact@f-initiatives.co.uk.

How long will we hold your data for?

  • Marketing: We will hold your data for a period of 6 years with a review every 3 years.  You will have the opportunity to opt out or update or delete data at any point should you need to do so and details are set out in this policy as to how to do that.

  • Contracted Services: We will hold your data for 7 years in line with our regulatory requirements.


Access to your information, correction, portability and deletion

What is a Subject Access Request?

This is your right to request a copy of the information that we hold about you.  If you would like a copy of some or all your personal information, please email or write to us at the following address: Antoine Abbatucci, Managing Director - UK, F. Initiatives Ltd, Albert Buildings, 49 Queen Victoria Street, London, EC4N 4SA. We will respond to your request within one month of receipt of the request.

We want to make sure your personal information is accurate and up to date.  You may ask us to correct or remove information you think is inaccurate by emailing contact@f-initiatives.co.uk or writing to the above address.

Objections to processing of personal data

It is your right to lodge an objection to the processing of your personal data if you feel the “ground relating to your particular situation” apply.  The only reasons we will be able to deny your request is if we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claims.

Data Portability

It is also your right to receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if:

(a)    The processing is based on consent or on a contract, and

(b)    The processing is carried out by automated means.

Your Right to be Forgotten

Should you wish for us to completely delete all information that we hold about you:

  • Email: contact@f-initiatives.co.uk or

  • In Writing to: Antoine Abbatucci, Managing Director - UK, F. Initiatives Ltd, Albert Buildings, 49 Queen Victoria Street, London, EC4N 4SA.


Other websites

Our website contains links to other websites.  This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

Complaints

If you feel that your personal data has been processed in a way that does not meet the GDPR, you have a specific right to lodge a complaint with the relevant supervisory authority.   The supervisory authority will then tell you of the progress and outcome of your complaint.  The supervisory authority in the UK is the Information Commissioner’s Office.

Changes to our Privacy Policy

We keep our privacy policy under regular review and we will place any updates on this web page.  This privacy policy was last updated on 03 January 2019 and the Version number is 1.2 in line with the new GDPR guidelines.

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you:

  • By email: contact@f-initiatives.co.uk

  • Or write to us: Antoine Abbatucci, Managing Director - UK, F. Initiatives Ltd, Albert Buildings, 49 Queen Victoria Street, London, EC4N 4SA.


 

BY USING THIS WEBSITE, YOU ACCEPT THE TERMS OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY OR ANY OF ITS TERMS YOU SHOULD NOT USE THE WEBSITE AND SHOULD CEASE TO ACCESS THE WEBSITE IMMEDIATELY.