Locked Shields, a NATO-organised cyber defence war game has been running technical live-fire cyber defence exercises annually since the start of the decade. Teams - blue teams - are tasked to maintain the defences of a fictional country while being subject to attack from a red team. War gaming today is not simply about protecting territory and physical infrastructure, but the ICT systems that underpin the critical national infrastructure including finance, power and health.  As cyber threats have become a real and ever present danger to government and businesses alike. In fact, UK businesses experienced 188 high-level attacks in the last 6 months. In a major move by government, a National Cyber Security Centre (NCSC) has now been created to help make the UK one of the safest places in the world to do business.

The national ICT infrastructure has become the next frontier to guard, in the face of a growing and fast evolving cyber threat landscape. The modern adversary – hostile states, criminal groups and malicious hackers - is increasingly sophisticated in how networks are penetrated. And can then often lurk within a network for up to 200 days – the proverbial 200 day problem – before it carries out its mission of stealing commercial and state secrets and intellectual property, corrupting data or causing damage to systems. Understanding the mindset of potential attackers and testing an organisation’s vulnerabilities and cyber preparedness are vital and therefore driving more organisations to run red and blue team simulations.

​Cyber defence war games
In a military setting, red and blue team simulations are intended to test physical defence capabilities and reveal any unknown vulnerabilities or blindspots. Such role play, which incorporates intelligence sharing, not only tests troops’ and their commanders’ ability to respond to a real emergency, but also identifies previously unknown weaknesses, and improves their ability to detect and oppose enemy forces.
In cyber security war-gaming, the red team is the fictitious threat actor simulating a cyber attack, in the hope of finding holes in and penetrating the defences of the blue team. Often, organisations bring in external expertise, companies such as The Exercise Group 7, who provide services to run these simulations and test management handling of the situation, including management of media and stakeholders in the market.
Such war gaming exercises test the strategies that organisations have prepared against attack. In the face of a cyber attack, does the blue team choose to completely lock down its systems? Or should they be kept running to lure the attacker but at the risk of a breach? This is where relevant, contextual threat intelligence comes into play – a core element of military strategy and planning. And this intelligence is not only important within the context of war gaming, it is also becoming an increasingly necessary ingredient in information security programmes.

Threat intelligence to the fore
However, the modern availability of large quantities of threat intelligence poses the problem of how security professionals sift out what is relevant. A Ponemon Institute study conducted in 2016 revealed that 70 percent of security professionals believe threat intelligence is often too voluminous and/or complex to provide actionable insights. There are too many tools that identify malicious, often automated, probing of company defences but with too little integration among them, making the job of identifying and contextualising a real cyber penetration akin to finding a needle in a haystack.

To manage the scale of the problem, automation is required. A threat intelligence platform (TIP) can provide this and more, it easily integrates with an organisation’s existing security stack -- threat intelligence feeds, firewalls and IPS, endpoint products like Carbon Black and Tanium, and SIEMs. A TIP adds context to data and critically it helps weed out false positives and brings the most important observed threats in your environment to the foreground.

It also saves time, which may be critical to preventing damage, with data presented in one tab for analysis instead of having to dig up data from multiple tabs. Response time is improved as a TIP automates the tedious research and collection part of the process, performing an investigation and response in a minute or two rather than the typical 20 minutes. Most organisations simply do not have enough analysts to manage without such TIP tools, and they will be given too little time to analyse and decide which problems to focus on. The automation of simple, repetitive tasks of information security means humans can focus on the actionable tasks and apply human geo-political knowledge, thereby reducing analyst fatigue. As a result, organisations can save money, focusing existing resources instead of spending more.

We’re stronger in numbers
Where secret intelligence sharing was once the domain of governments and intelligence agencies, and related to national security interests, the role of cyber threat intelligence sharing has expanded, becoming more mainstream among the commercial sector in partnership with government cyber security agencies.
There are significant benefits to intelligence sharing, especially as hostile actors and groups learn to shift their tools and tactics across industries. Some sectors get hit harder by certain attacks than others and develop stronger “muscle memory” against those attacks. Spreading that knowledge and experience of breach details, hunting and defence techniques, pools resources for the ultimate defence. Information and Analysis Centres (ISACs) are “trusted circles” that share critical intelligence information with each other.

Certain industries such as financial services and healthcare are early adopters, realising the value in aggregating threat intelligence, enriching and deduping it, removing false positives and building clusters of relating information. ISACs help to streamline this threat information sharing and collaboration, and apply context to intelligence. And cases where breach details are shared quickly could mean the difference in preventing someone else from being attacked, which makes it harder for bad actors.

Conclusion
Threat intelligence is very necessary to keeping ahead of the modern cyber adversary. The value of a versatile and robust threat intelligence platform, coupled with intelligence sharing, is undeniable and can equip businesses to find and respond to cyber threats, even identifying suspicious or malicious activity before it reaches the network.

Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses

By Jamie Stone, ‎Vice President, EMEA at Anomali

Originally published by GDPR.Report

The European Union’s Fourth Anti-Money Laundering Directive (4MLD) came into force in June 2015, allowing Member States two years to transpose the legislation into national law. The UK did so by way of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), which came into force on 26 June 2017.

4MLD has a wide reach and brings about a number of significant changes for the gambling sector. The overriding aim is to enhance a risk-based approach to anti-money laundering and counter-terrorist financing (AML/CTF) at all levels. 

Application
An important distinction to note is that the application of 4MLD, and the application of the MLRs 2017 differ greatly with regards to gambling providers.

4MLD goes beyond its predecessor by bringing all providers of gambling services, whether carried out in a physical location (non-remote), or via forms of remote communication, such as internet and TV (remote), within its remit. Previously, only casinos were covered. However, 4MLD contains a provision allowing Member States to exempt all or parts of their gambling industry from the scope of the Regulations if they are proven to be low risk. The UK exercised this option, and as a result the MLRs 2017 currently apply only to casinos (non-remote and remote). Non-remote casinos are covered by the MLRs 2017 where at least one piece of remote gambling equipment is based in Great Britain, or the services provided by the casino are used here. This means that large numbers of other gambling providers, such as betting shops and bingo halls, are not covered by the MLRs 2017.

Risk Assessments
Part of the rationale behind the decision to maintain the status quo was the robust legislative framework already in place. All gambling providers are regulated by the Gambling Commission, and must comply with their obligations under the Proceeds of Crime Act 2002 and the Gambling Act 2005.

Furthermore, a fundamental regulation under 4MLD has already been an obligation for gambling providers since October 2016. 4MLD requires all obliged entities (‘relevant persons’ under the MLRs 2017) to carry out an AML/CTF risk assessment, and ensure they have adequate procedures in place to guard against the risks identified. For gambling providers, this requirement was introduced prior to the implementation of the MLRs 2017, when the Licence Conditions and Codes of Practice (LCCPs) were amended.

Despite the MLRs 2017 currently applying only to casinos, it remains imperative that all providers ensure they operate to high compliance standards. The Government has announced it will conduct an assessment before 26 June 2018, to consider whether gambling services should continue to be excluded from the regulations. Should the level of risk posed by the industry increase, it remains open to the Government to bring the whole sector under the remit of the MLRs 2017. 

Key changes
For those covered by the MLRs 2017, or 4MLD by way of domestic legislation in other Member States, there are several key changes to be aware of.

​Customer due diligence (CDD)
CDD must be applied at the point of entering a business relationship, or where a provider becomes aware that the circumstances of an existing customer, relevant to their risk assessment, have changed. CDD measures must also be applied to any transactions that amount to €2,000 or more, whether the transaction is executed in a single operation or multiple operations that appear to be linked. This must be carried out not only at the point of collecting winnings, but also at the point of wagering a stake.

Simplified Due Diligence (SDD) and Enhanced Due Diligence (EDD)
4MLD removes the list of scenarios in which SDD can automatically be used. Instead, SDD can only be applied when a relevant person has assessed the relationship or transaction to be low-risk.

EDD must be applied when a relevant person has identified a high risk of money laundering or terrorist financing. Further to this, there are a number of stipulated scenarios in which EDD must be applied, including when a relationship or transaction is with a person established in a high risk third country, or where a transaction appears unusually large or complex.

Politically Exposed Persons (PEPs)
The definition of a PEP has been extended to cover domestic individuals (and/or their families and close associates), where previously it was confined to foreign individuals. As a result, providers may need to reconsider individuals with whom they have pre-existing business relationships, and have procedures in place to identify PEPs at the point of entering into a business relationship.

Nominated Officer
4MLD stipulates that an individual in the relevant person’s firm must be appointed as a nominated officer. As it has often been common practice for small-scale gambling providers to outsource such a role to a third party, providers must be aware that this is no longer permitted.

Reliance on Third Parties
Relevant persons may outsource services, however they retain the ultimate responsibility for meeting their AML/CTF obligations. Therefore it is vital that providers are confident in third party providers’ ability to meet compliance standards, particularly when carrying out tasks such as CDD.

Sanctions
There is a clear emphasis on holding relevant persons accountable should they fall short in their compliance obligations. The Gambling Commission has demonstrated they will take action against those who are non-compliant. At the start of July, the Commission unveiled a new enforcement strategy, which creates higher penalties for breaches, especially when systematic or repeated. Casino operators should also note that the MLRs 2017 create a new provision, which holds individuals accountable should they knowingly or recklessly make a false or misleading statement, whilst in purported compliance with the investigation and/or enforcement provisions.

Gambling providers, whether subject to the MLRs 2017 or not, must be alert to the potential risks posed to them. Providers must know their customers, and assess the level of monitoring necessary to combat the risks associated. The key change 4MLD brings is that a risk-based approach must be at the heart of all AML/CTF practice and procedure. Gambling providers must be aware of the high compliance standards expected of them, and the potential civil or criminal sanctions they could face for non-compliance. 

Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses


By Olivia Haggar, Corker Binning

With all the hype around the Global Data Protection Regulation (GDPR), which comes into force in less than a year, many organisations that hold Personally Identifiable Information (PII) are extremely worried about achieving compliance.

They understand the principles of what is required but are struggling with the practical details of implementation. They are right to be concerned – as well as resulting in a large fine and reputational damage, a serious breach could shut an organisation down because it will be forced to stop all data processing, from paying its employees to receiving electronic payments.

The hype itself has increased the risk; the public now know what to do if they suspect a breach of privacy has occurred, and know how to use Freedom of Information (FOI) requests to obtain information. Any organisation which fell victim to the recent WannaCry ransomware attack, for example, experienced a data breach which would have had to be notified to the Information Commissioner’s Office (ICO) under the GDPR.

However, organisations could use the situation to create business advantage. Clearly achieving GDPR compliance is going to require spending – in which case, why not use the opportunity to bridge towards a recognised data security standard at the same time? And turning the issue of compliance on its head, could we turn the ICO’s list of companies who notified them of an incident within their well-managed data protection system from a roll of shame to a roll of honour for their honesty?

Moving towards industry standards
Industry standards such as ISO27001, ISO20000 and ISO22301 provide a good base for GDPR compliance. Compliance with a standard demonstrates both organisation operational processes and company board commitment in these areas to the relevant security authority. It also supports the audit requirements between data controllers and data processors.

Organisations who have already met these standards and have a good underpinning security system will still need to make a few changes: improve data mapping, data classification and the associated governance around processing of data and confirm supply chain contracts in respect to controller and processor responsibilities. There also may be requirements for small tweaks to their security incident processes to cover GDPR’s requirement for privacy breach notifications. However, their existing risk assessment and treatment processes and underlying IT platform should accommodate the new requirements.

If your organisation is not currently aligned to an industry standard, you will have to build compliant processes and procedures from scratch anyway to avoid fines and reputational damage that would result from a breach. So why not implement GDPR in a way that bridges towards these standards? As well as enabling your organisation to become compliant, this will give you new business differentiators and potentially open up new markets where these standards are mandatory.

GDPR does not meet the full requirements of industry standards such as ISO27001 (and the standard does not cover all the needs of GDPR). However, with the appropriate business case GDPR can be implemented in a way that aligns with industry standards and provides a good base for achieving certification in the future if required by the business for its market development and growth.

A roll of integrity, not shame?
​One aspect of GDPR that organisations will have to address is the requirement to define how their processes work to store and use data in advance. For example, if a medium-sized or small organisation thinks its employees may have emails containing PII on their mobile phones, they can use technology to tackle the issue. Software tools such as Druva inSync can scan files and data as part of the device’s backup and recovery process to identify potential PII and other sensitive data. Once located, the data can then be protected or deleted in line with company policy – a capability available as a service from organisations such as Fordway.

However, where data records are amalgamated (e.g. in back-up copies) and cannot be deleted immediately on request, the organisation needs to provide the security authority with a statement explaining this. It may even be better to speak to the ICO first to clarify the restrictions and define the response with them to ensure everything is on the correct legal footing. The underlying principle is that organisations can obtain prior ICO approval for things that are not technically possible for them, provided that they show technically why they cannot be done and demonstrate that they have made all reasonable efforts to comply with the legislation.

The logical extension of this is that we should applaud those organisations which ‘fess up’ in advance about any breaches in data protection or the restrictions in their systems. They are behaving with integrity, and so should have nothing to fear.
In contrast, consider the recent IT meltdown at British Airways – a large organisation with considerable resources. It is not clear exactly what happened, but the resulting ‘explanations’ appear to be smoke and mirrors to cover up business continuity that was not fit for purpose.

Taking the first steps
The GDPR will clearly require major changes for many organisations. The first and most important piece of advice is don’t panic but begin planning now. Take a deep breath, look at your organisation’s existing processes for handling PII and identify areas where you may need to make changes. Then consider whether it would be strategically advantageous to obtain other compliance standards such as Cyber Essentials, ISO27001 and ISO20000. If so, look for ways to use the changes required for GDPR to align with these standards and consolidate the costs of compliance. A full security review and analysis, either internally or using a third party specialist, will then enable you to scope the changes require and make an informed decision on how to proceed.

Neville Armstrong, Service Strategist, Fordway

Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses
​
Originally published by GDPR. Report

The natural assumption ahead of GDPR implementation is that businesses and service providers have, or are, taking steps to ensure that their systems and processes are compliant. But in the case of organisations that use external service providers for data storage and management, is there an assumption that their systems will automatically be 'GDPR-ready'? If so, what are the responsibilities of both organisation and service provider to ensure GDPR compliance, and what steps can be implemented to ensure that these are clearly defined and implemented?

The responsibility of the business
Preparing systems to be GDPR compliant is not a small task. It starts with making sure the decision makers in the organisation are aware of the legislation change. After that, just a few of the steps to compliance, as suggested by the Information Commissioner’s Office (ICO), include:
·      Analysing and documenting the type of personal data the business holds.
·      Checking procedures to make sure they cover all the rights individuals have.
·      Identifying the lawful basis for processing activity.
·      Reviewing consent procedures.
·      Implementing procedures to detect, report and investigate personal data breaches.

This may seem like a small list, but in reality implementing all of these steps can be daunting. For a business that stores its own data, it may be the ideal time to consider moving to an infrastructure delivered by a provider that has GDPR compliance expertise. The advantage can be two-fold: taking the storage function externally can free up a lot of space and resources internally, while also reducing the in-house time, resources and budget needed to make systems GDPR compliant.

It is however important that the service provider’s systems meet GDPR requirements, and they can demonstrate that they comply with the legislation, particularly to a company outsourcing for the first time. If in doubt, always ask.

It’s also critical to understand where providers are storing data. The data centres may reside in the UK or EU, but the contract may prevent data being transferred between data centres outside of the EU. An organisation may choose to work with a provider outside of the EU, but if the data relates to a EU citizen, safeguards and measures must be in place to meet the GDPR standards.

Carrying out an assessment to determine the level of risk that could be posed to individuals should data be compromised, will help a company to understand if further measures need to be implemented to protect that data.

Last but not least, a business that handles large amounts of personal information may need to appoint a Data Protection Officer (DPO). Companies involved in large-scale monitoring, CCTV recording or profiling will certainly need to consider this.

The responsibility of the service provider
​GDPR marks a change in the balance of responsibility between data controller and data processor. Under the new regulations, data processors – such as IT and cloud hosting providers – will have more responsibility to better protect data. It’s therefore important to question a cloud provider or potential new supplier more thoroughly about whether they are compliant, be reassured and shown that data is in the hands of a GDPR compliant service provider.

When drawing up a contract, whether new or a repeat service, it’s now more important than ever to look at the small print. External providers need to include and clearly define capabilities and coverage of GDPR compliance. For example, if you haven’t yet started the compliance process, discuss and agree on whether the provider can and will undertake it as part of the service. Don’t assume that it will automatically be undertaken when it’s not in the contract, because this could be disastrous for both parties. 

​GDPR is coming. It is not a recommended code of practice but a legal requirement. Businesses and service providers have an obligation to ensure compliance before May 25th next year, or face fines of up to 4% of annual turnover, as well as the possibility of bans on trading in EU locations if providers do not comply with the GDPR. Compliance can be a daunting task, but burying one’s head in the sand in the hopes it will go away is not the answer. Find reliable technology partners who have experts on hand to answer questions and provide reassurance that your organisation won’t be in the firing line when legislation becomes official.
By Paul Mills, group sales director, Six Degrees Group

Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses

Originally published on GDPR.Report

The Regulations
Serious and organised crime costs the UK at least £24billion each year. To conceal the proceeds of crime, money launderers exploit financial systems that enable anonymity when carrying out transactions. The EU’s Fourth Money Laundering Directive (4MLD) was enforced in the UK under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 on the 26th June. The government must ensure that regulated businesses comply, not just because it’s the right thing to do, but because it will want to strengthen the stability, integrity and reputation of the UK financial sector following Brexit.

The new regulations introduced a stricter, risk-based approach to anti-money laundering, in which regulated businesses must perform more exhaustive checks on their customers. Regulated gaming operators must carry out a risk assessment of their clients to ascertain whether they present a high or low money laundering risk, including searches for adverse information.

Although the requirements are stricter, the regulations underline a customer-centric risk-based approach, thereby minimising the risk of businesses inadvertently laundering the proceeds of crime.

Obliged Operators
In the gambling industry, the UK Treasury was able to exempt lower risk sectors from the Regulations, applying exemptions to all but non-remote and remote casinos. Whilst only holders of casino operating licences are subject to the new requirements, other gambling operators would be well advised to take a similar approach.

The money laundering risks across the gambling industry are not uniform; some parts of the sector are more vulnerable than others. This is recognised by the government, which relies on the UK Gambling Commission to monitor and report the sector’s evolving risks.

Of particular concern to the government is betting shops, which are cash-intensive and often take sums in excess of the new €2,000 stake limit in anonymous bets or through fixed odds betting terminals. As a result, these sections of the industry may come under the new Regulations if they fail to prevent money laundering and terrorist financing under existing obligations outlined by the Gambling Act, the Proceeds of Crime Act and industry standards.

Industry Impact
On the 21st June, the Gambling Commission issued guidance to operators regarding the new Regulations. It urged operators to review their risk assessments and processes to ensure they were meeting anti-money laundering and social responsibility obligations. The guidelines specified that this means assessing ongoing risks as the customer relationship progresses, not just at the withdrawal stage. The guidance can be read in full here.

This guidance was updated on the 31st July, with the Gambling Commission urging:
“All casino operators both non-remote and remote must comply with the new regulations and will need to ensure they have effective measures in place.
“As the regulations are already in force, we expect casino operators to familiarise themselves with the new regulations as soon as possible, and take action to comply.”

Under the more prescriptive Regulations, carrying out appropriate customer checks manually will be challenging, especially if the customer is based abroad. Without the right processes and expertise, searching for adverse information on customers and evidencing results appropriately may prove too challenging to undertake.

Given the explosion of information on the web in recent years, searching for adverse information has become far more difficult. It is almost impossible to hold all relevant data in structured databases. This means that manual searching of the web is usually required, but this method can be hit-and-miss, since relevant information may not be indexed on the web at the time of searching.

Implementing Technology
Today, it is nearly impossible to undertake the necessary due diligence without the right technological tools. Developments in Artificial Intelligence have enabled new ways of extracting information without spending undue time and money.

Those attempting to carry out customer due diligence and researching adverse information will find the process expensive and inconsistent, and important information can be missed. When a customer is based abroad, this is particularly problematic. Researchers must be able to identify pertinent information published in the customer’s native language.

Technology companies are developing products to make regulatory compliance easier and address common compliance issues. These tools can produce more accurate results far quicker than a manual search, and perform regulatory functions such as ongoing monitoring and accurate translation.
Regulatory Technology (RegTech) tools can be used to ease the workload when performing adverse information searches and monitor the ongoing risks presented by customers.

Technology and human expertise can be combined, creating a powerful defence against money laundering. Gambling operators will be well advised to harness the power of both to fulfil their moral and regulatory obligations.   

By ​Jane Jee, Barrister and CEO of Kompli-Global