volume 2 | issue 10 | november 2018 - ciso mag...| november 2018 | november 2018 volume 2 | issue 10...

Volume 2 | Issue 10 | November 2018

CISO MAG | November 2018 CISO MAG | November 2018

Volume 2 | Issue 10Volume 2 | Issue 10

32

倀刀伀嘀䤀匀䔀䘀伀刀夀伀唀倀爀漀嘀椀猀攀椀猀愀渀䤀渀搀攀瀀攀渀搀攀渀琀Ⰰ 瀀爀漀搀甀挀琀愀最渀漀猀琀椀挀爀攀猀攀愀爀挀栀搀爀椀瘀攀渀䄀搀瘀椀猀漀爀礀 ǻ爀洀猀瀀攀挀椀愀氀椀稀椀渀最椀渀䜀刀䌀愀渀搀䌀礀戀攀爀匀攀挀甀爀椀琀礀倀爀漀昀攀猀猀椀漀渀愀氀匀攀爀瘀椀挀攀猀⸀

圀栀愀琀猀琀愀爀琀攀搀眀椀琀栀琀眀漀瀀攀漀瀀氀攀椀渀㈀　椀猀渀漀眀愀渀攀渀琀椀琀礀猀瀀愀渀渀椀渀最愀挀爀漀猀猀爀攀最椀漀渀猀眀椀琀栀愀最氀漀戀愀氀瀀漀爀琀昀漀氀椀漀漀昀氀攀愀搀椀渀最挀甀猀琀漀洀攀爀猀⸀

匀椀渀挀攀椀琀猀椀渀挀攀瀀琀椀漀渀椀渀㈀　Ⰰ 倀爀漀瘀椀猀攀栀愀猀攀砀瀀愀渀搀攀搀椀琀猀昀漀漀琀瀀爀椀渀琀椀渀㜀挀漀甀渀琀爀椀攀猀愀渀搀栀愀猀愀爀漀甀渀搀㜀㔀⬀ 匀甀挀挀攀猀猀昀甀氀瀀爀漀樀攀挀琀猀攀砀攀挀甀琀攀搀⸀

䄀猀漀昀琀漀搀愀礀Ⰰ 倀爀漀瘀椀猀攀椀猀愀吀爀甀猀琀攀搀挀礀戀攀爀猀攀挀甀爀椀琀礀瀀愀爀琀渀攀爀椀渀唀䄀䔀昀漀爀琀栀攀䰀愀爀最攀猀琀倀漀氀椀挀攀䘀漀爀挀攀Ⰰ 䰀愀爀最攀猀琀刀攀愀氀䔀猀琀愀琀攀䘀椀爀洀Ⰰ 䰀愀爀最攀猀琀吀攀氀攀挀漀洀䌀漀洀瀀愀渀礀Ⰰ䰀愀爀最攀猀琀䔀渀琀攀爀琀愀椀渀洀攀渀琀䤀猀氀愀渀搀愀渀搀猀琀爀椀瘀椀渀最昀漀爀洀甀挀栀洀漀爀攀⸀

伀唀刀䈀唀匀䤀一䔀匀匀䰀䤀一䔀匀

吀攀挀栀渀漀氀漀最礀䜀漀瘀攀爀渀愀渀挀攀Ⰰ 刀椀猀欀愀渀搀䌀漀洀瀀氀椀愀渀挀攀愀搀瘀椀猀漀爀礀戀甀猀椀渀攀猀猀

圀䤀一一䤀一䜀䤀匀一伀圀䄀䠀䄀䈀䤀吀䤀一倀刀伀嘀䤀匀䔀

䤀渀搀甀猀琀爀礀猀瀀攀挀椀昀椀挀 Ⰰ 吀栀爀攀愀琀䌀攀渀琀爀椀挀䌀礀戀攀爀匀攀挀甀爀椀琀礀䄀猀猀甀爀愀渀挀攀愀渀搀䴀漀渀椀琀漀爀椀渀最

刀☀䐀䤀匀吀䠀䔀䌀伀刀䔀伀䘀䄀䰀䰀匀䔀刀嘀䤀䌀䔀匀䄀一䐀倀刀伀䨀䔀䌀吀匀

倀爀漀搀甀挀琀䔀渀最椀渀攀攀爀椀渀最愀渀搀刀☀䐀椀猀氀漀挀愀琀攀搀椀渀䈀攀渀最愀氀甀爀甀⸀

䜀刀䌀䌀伀䜀一䤀吀䤀嘀䔀倀䰀䄀吀䘀伀刀䴀䌀夀䈀䔀刀匀䔀䌀唀刀䤀吀夀倀䰀䄀吀䘀伀刀䴀

椀渀渀漀瘀愀琀椀漀渀搀椀猀琀椀渀最甀椀猀栀攀猀戀攀琀眀攀攀渀愀氀攀愀搀攀爀愀渀搀愀昀漀氀氀漀眀攀爀

嘀椀猀椀漀渀吀漀戀攀琀栀攀挀甀猀琀漀洀攀爀猀瀀愀爀琀渀攀爀

漀昀挀栀漀椀挀攀昀漀爀猀愀昀攀最甀愀爀搀椀渀最琀栀攀椀爀搀椀最椀琀愀氀愀猀猀攀琀猀

䴀椀猀猀椀漀渀㈀　㈀吀漀瀀㌀䌀礀戀攀爀匀攀挀甀爀椀琀礀刀攀猀攀愀爀挀栀䘀椀爀洀猀椀渀䄀猀椀愀一漀⸀ 䜀刀䌀倀氀愀琀昀漀爀洀䜀氀漀戀愀氀氀礀一漀⸀ 䜀刀䌀䌀漀渀猀甀氀琀椀渀最䘀椀爀洀䜀氀漀戀愀氀氀礀

伀唀刀䐀一䄀



54

Last year around this time, Bitcoin reached its all-time high at just shy of $20,000 per coin. Ever since then, cryptocurrency has become mainstream with many competitors to the original making waves. This issue will delve

deeper into the world of cryptocurrencies and the pivotal role they’ve played in the information security space, for both good and ill. In our Buzz section, we look at the origin of cryptocurrencies, how Bitcoin came to be, its golden age, and where it could be headed.

Move to our Cover Story where we talk about how several cyber-attacks started a relatively new trend, where companies stockpile Bitcoins to pay ransom to retrieve their data. We discuss the drawbacks of such practices and how cryptocurrencies can be a tool for more than simply serving as ransom money.

Also in this issue, we interview Eng. Badar Ali Al Saleh, Director General Oman National CERT, where he talks about the establishment of OCERT, his journey so far, and the key milestones OCERT has achieved.

In the Insight section, we discuss having stronger security for your company which must begin by understanding the mind and the motives of the opponents, and how important it is to shift from a merely defensive security posture to one that anticipates how those bad actors gain access to the network.

Tell us what you think of this issue. If you have any suggestions, comments, or queries, please reach us at [email protected].

Jay BavisiEditor-in-Chief

* Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd., Editor: Rahul Arora.The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not necessarily those of the publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be appropriate for the readers’ particular circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored in a retrieval system, or transmitted in any form without the permission of the publishers in writing.

Volume 2 | Issue 10November 2018

EditorialInternational EditorAmber Pedroncelli

[email protected]

Senior EditorRahul Arora

[email protected]

Senior Feature WriterAugustin Kurian

[email protected]

Feature Writer Rudra Srinivas

[email protected]

Media and DesignMedia Director

Saba [email protected]

DesignerSuresh CH

[email protected]

ManagementExecutive DirectorApoorba Kumar*

[email protected]

Senior Director, Compliance & Governance

Cherylann [email protected]

Marketing & SalesGeneral ManagerMeghana Vyas

[email protected]

Marketing and Business Development Officer

Pooja [email protected]

Riddhi [email protected]

Sales Manager - IndiaBasant Das

[email protected]

Sales Manager - North AmericaJessica Johnson

[email protected]

TechnologyDirector of Technology

Raj Kumar [email protected]

INDEX

BUZZBitcoin: Part Currency, Part Revolution

UNDER THE SPOTLIGHTEng. Badar Ali Al Saleh

Director GeneralOman National CERT

COVER STORYStockpiling Cryptocurrency May Not bea Silver Bullet

INSIGHTFor Stronger Security, Get Inside the Mind of

Your Opponent

COLLABORATIONSInfosec Partnerships

IN THE NEWSTop Stories from the Cybersecurity World

KICKSTARTERSStartups Making Waves in the Cybersecurity World

IN THE HOTSEATHigh-Profile Appointments in the Cybersecurity World

08

16

26

36

44

52

62

58

mailto:[email protected]



76

Advertisement

From the CISO Perspectiveto Cloud Security Assessments

The secret is out:Enterprises large and small have moved to the cloud,

and more are making the move daily. Whether you’re an early adopter or you’ve been battling that persistent

strain of nephophobia going around, it’simportant to thoroughly understand and evaluate

potential cloud vendors, instilling confidence for your organization and your customers.

Learn How to Make the Leap With Confidence

http://bit.ly/2ivU4l9

Download our Cloud Security Toolkit to help you evaluate

potential cloud vendors.

Get insight into how other companies are approaching

cloud opportunities, andinstill confidence across your

organization today.



98

BUZZ BUZZ

Bitcoin: Part currency, Part revolution 0908

Augustin Kurian



1 110

BUZZ BUZZ

When the man known to the world as Satoshi Nakamoto not just unveiled

a new currency but a new way to think about currency, our world was changed forever. What Bitcoin did to the world of cryptocurrency, or rather, to the world of economics is unparalleled. Bitcoin brought cryptocurrency limelight, and with it, a host of challenges. Bitcoin wasn’t the first cryptocurrency. The history of cryptocurrency traces its roots back to the early eighties when cryptographer David Chaum had the idea of an anonymous cryptographic electronic money called ecash.

1 110According to him, electronic payment systems have a substantial impact on personal privacy as well as the nature and extent of the criminal use of payments. “Ideally a new payments system should address both of these seemingly conflicting sets of concerns. On the one hand, knowledge by a third party of the payee, amount, and time of payment for every transaction made by an individual can reveal a great deal about the individual’s whereabouts, associations and lifestyle,” he wrote in his proposal for ecash. Ecash would have properties like “the inability of third parties to determine payee, time or amount of payments made by an individual; Ability of individuals to provide proof of payment, or to determine the identity of the payee under exceptional circumstances; and ability to stop use of payments media reported stolen.”

By 1989, he started DigiCash Inc, with ecash as its trademark. Thus ecash became the first ever cryptographic electronic currency and it was as secure and private as cash in the physical world. In 1997, Nicholas Negroponte, celebrated guru and Greek American architect, signaled his support to the currency by backing the venture and becoming Chaum’s first ever client. But DigiCash had a short lifespan and by 1999, Chaum sold his patents. “It was hard to get enough merchants to accept it so that you could get enough consumers to use it, or vice versa,” he said in an early interview with Forbes.

But, the idea of cryptic money did not die with DigiCash. Several others joined the legion of crypto-anarchism which believed that encrypted exchanges ensured total anonymity, total freedom of speech, and total freedom to trade. Around 1998, Wei Dai, one of these crypto-anarchists, published a description of “b-money,” a new kind of crypto money. Around the same time, purveyors of crypto anarchy like Nick Szabo went ahead and created Bit Gold that required users to complete proof-of-work, a piece of data which helped ease verification of the currency. The only problem was that Szabo’s technology wasn’t reusable and was very expensive to be made.

Later, Hal Finney created a currency system that deployed Reusable Proof-of-Work (RPoW). Although it was never intended to be more than a prototype, it did solve some of the problems of its predecessors. “An RPOW client creates an RPOW token by

providing a proof-of-work string of a given difficulty, signed by his private key. The server then registers that token as belonging to the signing key. The client can then give the token to another key by signing a transfer order to a public key. The server then duly registers the token as belonging to the corresponding private key,” points out nakamotoinstitute.org in one of their posts. This was one of the first times the concept of cryptocurrency was becoming a reality. But challenges remained and the biggest one was tracking the currency to prevent double spending.

Double spending simply means the same digital currency being spent more than once as the token file could be easily copied, duplicated, and even falsified. It wasn’t until someone proposed a new cryptocurrency in 2009 that this issue was solved. That someone here is still unknown and is still referred to by his pseudonym, Satoshi Nakamoto, and the currency is Bitcoin.

Bitcoin was the solution to the problem of double spending. Nakamoto’s invention limited mining of the currency through a peer-to-peer network where no bank, government, or any other central authority had control. The users of the new currency could protect themselves from double spending by waiting for confirmations when receiving payments on the blockchain. Once the confirmation is sent, the transactions became irreversible. This was the biggest win for the crypto-anarchists, who were skeptical of the banking sector. “The root problem with

https://www.forbes.com/forbes/1999/1101/6411390a.html#2ea5a8c4715fhttps://nakamotoinstitute.org/finney/rpow/



1312

The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

BUZZ BUZZ

The AI-Specific Cybersecurity Skills Gap

AI platforms create their own new cybersecurity jobs. Organizations need people to design, deploy, run, and continuously upgrade their AI platforms, and these skills are even more rare and valuable than most of the existing cybersecurity skills organizations cannot find in the marketplace.

To begin with, there is an overall global shortage of general AI talent. Anyone who wants to hire for AI-related roles for their cybersecurity platform has to compete with everyone else who is hiring AI specialists. Much of the existing AI talent in the marketplace appears to be getting poached by autonomous vehicle companies and other “hotter” applications of cognitive computing. As noted by Bloomberg, there may be only 200,000 - 300,000 total AI researchers and practitioners in the world, with fewer than 22,000 PhD-level computer scientists qualified to work in AI. The result? As SecurityNow puts it, “large companies are shelling out $300,000 or more in salaries to engineers with modest AI experience and expertise.”

In sum, while AI will certainly help solve certain roles within the overall cybersecurity skills gap, it won’t fill the most valuable roles that require real human experience and insight and will create a new skills gap for “cybersecurity AI experts.” For most organizations, the only way to fill this gap is to find a security partner to fill it for them.

1312

The Genesis

Of course, Bitcoin was not an overnight sensation. In early January 2009, Nakamoto mined the first ever batch of Bitcoins, which later came to be known as the Genesis Block. Hal Finney was among the few early cryptographers who received the first block of Bitcoin. In the early years, Nakamoto’s brainchild remained an obscure and confusing phenomenon for the rest world outside of a few early adopters. But Bitcoin gradually started gaining accolades from the stakeholders of digital currency. Even Finney was of the opinion that Bitcoin was a world-changing invention. During the early years, the Electronic Frontier Foundation, an advocate for digital privacy, accepted donations in the new currency.

During this time, the price hovered around $50 for 10,000 Bitcoins. On May 22, 2010, Laszlo Hanyecz, a programmer based out of Florida, made the first real world Bitcoin transaction, where he paid 10,000 Bitcoins for two pizzas from Papa John’s. In reality though, Papa John’s didn’t actually accept Bitcoins and

Laszlo had to send the Bitcoins to a volunteer in England, who then ordered the pizza using his credit card. Also around this same time, David Forster, a farmer based out of Massachusetts, began accepting Bitcoins for his alpaca socks.

It is estimated that Nakamoto mined nearly one million Bitcoins before disappearing into the abyss of the internet. Many faithful are still pondering the true identity of

conventional currency is all the trust that’s required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust. Banks must be trusted to hold our money and transfer it electronically, but they lend it out in waves of credit bubbles with barely a fraction in reserve. We have to trust them with our privacy, trust them not to let identity thieves drain our accounts,” Satoshi Nakamoto wrote on his paper in 2009.

Nakamoto but haven’t had any luck in unmasking him (at least as of the time of publication of this article).

The Golden Age Begins

By early 2011, there was a massive spike in the popularity of the currency. The major downside was that Bitcoin became the choice of currency for the black market, most prominently the Silk Road. As Bitcoin became the exclusive currency of cybercrime, the price escalated from $0.30 per Bitcoin to $31.50 between January and June 2011. With the dubious distinction attached to Bitcoins, the price fell month after month, reaching $4.77. The price fluctuated again during 2012, when it reached $13.30 and slumped back to $7.10. During this time, an agency called Bitcoin Foundation was founded to promote its development.

Things gradually changed for Bitcoin in the ensuing years. Several spin-offs of Bitcoins emerged and cryptocurrency exchanges started to play a crucial role in the price of Bitcoin. By mid 2014, the US Financial Crimes Enforcement Network (FinCEN) enforced legal regulations for American Bitcoin miners. With regulators and government getting involved, things got serious. In 2013, the US Drug Enforcement Administration (DEA) listed 11.02 bitcoins as seized assets. This marked the first time a government body seized a cryptocurrency. By October of the same year, the FBI apprehended Ross William Ulbricht for his involvement in illegal trade on the Silk Road and seized 26,000 Bitcoins from him.

On 30 November 2013, the price reached its highest point ever at $1,163, but that highpoint was short

lived. By February 2014, the price of Bitcoins fell by half following a hack at Mt. Gox exchange, one of the largest Bitcoin exchanges at the time. The exchange lost nearly $500 million. Bitcoin gradually recovered its value over the next years.

The Boom

In January 2017, prices rose to $998, signaling the currency’s recovery. On December 17, 2017, Bitcoin’s price reached an all-time high of $19,666. What followed was a mad rush of buying and selling. “I don’t know what’s going to happen in the future. I’m really not a fortune teller or anything like that. I believe that more than fear of regulation that decline from the $20,000 peak was more of just a normal retracement,” Mati Greenspan, a senior analyst at eToro told Express. “Whenever the bitcoin price moves and jumps into a new order of magnitude, we need to see some sort of retracement on that. It’s the same thing that when it jumped up from eight cents to $3.50 then it had a retracement back to a dollar. That’s a very normal thing after that kind of leap. So, if we look at it now I believe we are about five or six percent up over the price a year ago,” he added.

And then it all changed. The price of Bitcoins has slumped since its highpoint on December 17, 2017, because of several breaches in exchanges and regulatory turmoil. On the day the article was written, Bitcoin’s market capitalization fell below the $100 billion mark on, with a per coin price standing at $5,564.70. Of course, this price is still a huge leap from where it all began.

The central bank must be

trusted not to debase the currency, but the history of

fiat currencies is full of

breaches of that trust.

Banks must be trusted to hold our money and

transfer it electronically

"https://www.bloomberg.com/news/articles/2018-02-13/in-the-war-for-ai-talent-sky-high-salaries-are-the-weapons""https://www.securitynow.com/author.asp?section_id=706&doc_id=741645"https://www.marketwatch.com/story/the-currency-thats-up-200000-1307029053200http://p2pfoundation.ning.com/forum/topics/bitcoin-open-source



1514

*Graduate Certificates available for:Disaster Recovery; Digital Forensics; IT Analyst; Executive Information Assurance; Information Security Professional

PROPEL YOUR CAREERAS A CYBER SECURITY LEADER

with an online cyber security degree from ECCU

burning-glass.com

85%OF ALL CYBER SECURITY JOB VACANCIES

Require a Bachelor’s Degree or Higher

*GRADUATEDEGREE

PROGRAM

MASTEROF SCIENCE

In Cyber Security

BACHELOROF SCIENCE

In Cyber Security



1716

UNDER THE SPOTLIGHT

Interview ofENG. BADAR ALI AL SALEHDirector GeneralOman National CERT

Eng. Badar Ali Al-Salehi is the Director of Oman National CERT, an e-Oman national initiative aiming at addressing cybersecurity risks, building local cybersecurity capabilities, and promoting cybersecurity awareness among public and private sector organizations in Oman. A veteran in this arena, Al-Salehi is a member of several regional and international forums and committees.

In an exclusive interview with CISO MAG, Al-Salehi discusses regulations and laws for cybersecurity, state of ethical hacking in Oman, and requisites for keeping critical infrastructures safe from cyber-attacks.

Rahul Arora

UNDER THE SPOTLIGHT

1716



1918

OCERT resources are a part of the Information Technology Authority in Oman, and

we have clear and extensive

capacity building

programs. Human

resources development

has been addressed very

seriously in ITA.

UNDER THE SPOTLIGHT

UNDER THE SPOTLIGHT

1918

OCERT was established in 2010 to ensure the cyber safety and security of the country. How has the journey been in the last eight years and what are the key milestones OCERT has been able to achieve?OCERT was established with a clear vision and objectives. The initiative has been able to accomplish the following:

• Built highly skilled and expert professional team in cybersecurity and cyber incident management

• Obtained regional and international membership and recognitions including GCC-CERT, OIC-CERT, FRIST, Malware alliance, APWG, and Honey Net Project.

• Elected as the chair of OIC-CERT

• Elected as the chair of ITU Arab Study groups 17

• Hosted the ITU Arab regional cyber security center

• Obtained the World Summit in Information Society (WSIS) award in the category of building confidence and security in the use of ICT

What are the key components of a



2120

UNDER THE SPOTLIGHT

How does OCERT allocate resources to attract and build strong cybersecurity teams?OCERT resources are a part of the Information Technology Authority in Oman, and we have clear and extensive capacity building programs. Human resources development has been addressed very seriously in ITA. The professionals get tremendous international exposure and an opportunity to assist in regional and international cybersecurity initiatives.

How does your team work with peer organizations, academia, and the private sector to minimize cyber risk?OCERT has created the partnerships development program that provides it an opportunity to partner with organizations, academia and private sector. Additionally on individual level, OCERT introduced the cybersecurity ambassador programs targeting public, academics, and professionals both form government and private sector.

What role does cybersecurity education and training

UNDER THE SPOTLIGHT

solid framework that would facilitate the government to offer secure e-government services?The framework we are adopting is based on a global cyber security agenda that addresses cybersecurity with regards to organizational structure, legal and technical measures, capacity building, and international cooperation.

Many economies have recently introduced regulations or laws related to data protection and privacy. Do you think Oman should have a regulation similar to that as well?

Oman has actually initiated the process of drafting a privacy law and it should be issued very soon.

Do you think Blockchain technology is an answer to data privacy and data security concerns?Every technology would certainly have an impact on cybersecurity, either positive or negative. Being proactive would also certainly minimize negative effects.

2120
https://store.eccouncil.org/product/ciso-mag-annual-membership-fee-2/

volume 2 | issue 10 | november 2018 - ciso mag...| november 2018 | november 2018 volume 2 | issue 10...

Documents