- Email: [email protected]
Silent risk: new incarnations of longstanding threats
FEATURE should governments attempt to do so, it is their own economies that are likely end up in the ecommerce slow lane – or worse. “If legislation were ever passed in the US where vendors had to give a copy of their encryption keys to law enforcement, it really wouldn’t surprise me to see them move their operations overseas,” he says. “Some companies, such as Lavabit, even shut down rather than hand messages over. So it’s a big deal.”
About the author
References
Cath Everett has been an editor and journalist for more than 20 years, specialising in information security, employment, skills and all things HR. She has worked in the online world since 1996, but also has extensive experience of print, having worked for publications ranging from The Guardian to The Manager. She returned to the UK from South Africa at the end of 2014 where she wrote a lifestyle blog for International Business Times.
1. ‘Compliance with Court Orders Act’. Draft Bill. Via Document Cloud. Accessed Aug 2016. www.documentcloud.org/ documents/2801010-ComplianceWith-Court-Orders-Act-of-2016. html. 2. Cook, Tim. ‘A message to our customers’. 16 Feb 2016. Accessed Aug 2016. www.apple.com/customer-letter/.
Silent risk: new incarnations of longstanding threats
Duncan Hughes
Duncan Hughes, A10 Networks The security world has a tendency to operate rather like the music singles chart – always looking for and getting excited about the hot new trends, whether that’s Bring Your Own Device (BYOD), the Internet of Things (IoT), drones or some other next-generation technology fad. But the threats of yesteryear don’t die out – they evolve and mutate with increasing speed and complexity. While security teams are engaged in headline-worthy battles with the newest breed of cyber-exploit, criminals are strengthening their hand with developed versions of long-standing attack vectors such as malvertising, amplification distributed denial of service (DDoS) and point of sale (PoS) or virtual desktop infrastructure (VDI) attacks. In light of these continuing risks, it’s worth looking at some of the key ‘evolved’ attack types that security personnel must keep in mind if they are to protect the enterprise from every angle – as well as the best response methods.
Mobile for malvertisers One of the major challenges facing security teams in 2016 is the near ubiquity of mobile devices connecting to enterprise networks. Smartphones and other connected devices are integral in sectors ranging from manufacturing to healthcare. The difficulty comes in trying to control endpoint security. While a device is outside the organisation it
August 2016
cannot be easily protected by corporate threat defence or anti-malware systems. As a result, malware picked up on an unguarded endpoint can have a direct route into the network. This is a particularly dangerous weakness if we consider the continued prevalence of malvertising. In essence, during a malvertising attack the assailant distributes malicious code through online advertising networks. The malicious widgets are hosted by legitimate servers and are purposefully designed to fluctuate and change, resulting in effective blindness for traditional blacklisting security tools. Designed to detect malicious sites, these do not have the agility necessary to block the ads.
Malvertisers frequently take advantage of new exploits, often masked using known methods such as Dynamic DNS to prevent tracking and signature and sandbox evasion techniques to further propagate their malware across advertising networks. As a result, a malware infection most often occurs without triggering an alert from SIEM systems or similar. This enables malicious code to reside on the device without its owner’s knowledge. The device may then be used to gain access to the target’s network, which fails to detect the infiltration entering via a trusted device. Where many conventional computers are equipped with a level of malwareprotection in place, at the very least to the extent that users will be notified of the presence of suspicious code, many mobile devices are rolled out for public use without similar defences in place. The result is an easily exploited gateway in the network. From a network security perspective, advanced threat protection (APT) platforms can help detect malware in web
Network Security
17
FEATURE traffic, intercepting malware en route if not at source. Since many web-based advertisements are now delivered over SSL, organisations should make it a priority to put decryption solutions in place in order to inspect encrypted traffic – typically by inspecting inbound and outbound data on a granular, rather than a machine-by-machine, basis.
“A malware infection most often occurs without triggering an alert from SIEM systems or similar. This enables malicious code to reside on the device without its owner’s knowledge” Often, command and control connections used by malware to establish contact with the perpetrator are masked within SSL connections. It prevents normal threat detection systems from blocking this channel and inhibiting the malware code. If the intent of the attacker is to use malware to gather and export data, this is also often concealed within an SSL connection. The use of SSL visibility platforms gives back control to the organisation, allowing interception of the command and control channel and thus enabling inspection and protection of malicious connections. SSL inspection solutions can also be used to mitigate the potential of data leaks via malware tools, enabling security to map unusual data movements and track their origin.
Amplification attack using open DNS servers.
DNS and NTP are not the only sources of amplification attacks. Attackers can also use SNMP, NetBIOS and other protocols to launch amplification attacks. Attackers have even exploited WordPress applications to carry out large-scale DDoS assaults. Amplification has contributed to the escalating size of DDoS attacks. According to research commissioned by A10 Networks, over the past year the average peak bandwidth of attacks was 30-40Gbps, over 10 times as powerful as the average figure in 2011 (4.7Gbps).1
UDP fuels DDoS amplification attacks
“With DNS and NTP amplification attacks, the attacker impersonates the attack target and sends a small request to a reflector server. This fires an outsized response to the victim, flooding the target network”
For the past five years or so, cybercriminals have exploited DNS and NTP servers to amplify the size of their DDoS attacks. With DNS and NTP amplification attacks, the attacker impersonates the attack target and sends a small request to a reflector server. This fires an outsized response to the victim, flooding the target network. DNS amplification attacks can increase the size of DDoS attacks by up to 54 times, while NTP amplification attacks can magnify DDoS by a factor of 556.
One of the challenges of detecting and mitigating amplification attacks is that trusted sites that host legitimate user datagram protocol (UDP) services are often unwittingly used by attackers to amplify the attack. This not only provides the scale needed to create the very large traffic volumes associated with amplification attacks but also gives the source traffic credibility. However, the real story has been the increase in the average packets
18
Network Security
per second for typical DDoS attacks; attack rates in Q1 2016 have rocketed to an average 50-80 million packets per second (Mpps), up from 7.8Mpps in 2013. Many of the largest DDoS attacks over the past two years have been amplification attacks. Moreover, attackers continually investigate new attack vectors, as witnessed by the discovery of DVMRP-based reflection attacks in 2014. Disclosed by Team Cymru, Distance Vector Multicast Routing Protocol (DVMRP) reflection attacks have already been observed by service providers. To protect against amplification attacks in 2016, organisations need to deploy security equipment that can mitigate large-scale DDoS attacks. DDoS mitigation solutions employed to provide protection should be able to define a peacetime baseline of the UDP application traffic volume and apply limits to traffic exceeding that volume. This level of visibility is particularly important as it allows finer tuning of policies to surgically defend against the specific attack while still allowing legitimate traffic through. In addition to this, network controllers must consider what steps can be taken to ensure their systems are not abused in turn, preventing them being used as an amplifier within an attack. If an organisation’s infrastructure is compromised in this way it will cause serious reputational damage. In addition, it could lead to subsequent service
August 2016
FEATURE
The average peak bandwidth of DDoS attacks has risen to 30-40Gbps. Source: A10 Networks.
interruptions if it became classified as a bad actor.
VDI and the ‘security storm’ Virtual desktop infrastructure (VDI) allows organisations to host desktop environments on servers and enables users to access these desktops from any location. Compared to traditional desktop infrastructures, VDI provides a host of advantages – organisations can lower hardware and operating costs, support BYOD initiatives, and bolster security. Since all data is stored in a central location, rather than on endpoint devices, VDI also reduces physical data theft risks.
“If an organisation’s infrastructure is compromised it will cause serious reputational damage. Moreover, it could lead to subsequent service interruptions if it became classified as a bad actor” However, desktop virtualisation also exposes new security challenges.
Organisations often host multiple desktops with the same operating systems and the same set of applications on a single physical server. Without proper isolation, an attacker can install a rootkit and compromise multiple desktops. With limited system diversity, attackers might uncover a vulnerability, allowing them to quickly exploit thousands of desktops in one fell swoop. Attackers are now executing more brute force attacks on virtual desktops than ever before.
“Using a variety of techniques, including brute force and compromising management or software update tools, hackers are able to install malware on PoS systems” One of the big challenges with VDI environments is addressing the ‘security storm’ issue. This is where multiple security tools running on the same machine contend for system resources. In a number of organisations, IT teams have resorted to disa-
bling some security tools either permanently or on a casual basis in order to mitigate this problem. This approach effectively leaves multiple attack target points exposed at any one time. Just like desktop machines, virtual machines are exposed to software vulnerabilities. Users in a VDI environment can download software programs that expose the system to malware by inadvertently clicking malicious links. Security tools disabled only for a brief period of time still leave the virtual machine as exposed as the underlying physical one. As a result, the security of the VDI environment needs to be considered separately from the enterprise access network and given a different set of requirements. To protect VDI environments, organisations should implement operating system or application isolation – especially if virtual desktops are hosted in the cloud. Organisations should also control how data can be transferred to and from VDI environments. Install anti-malware software in the environment and monitor for intrusions. SSL inspection solutions are also an effective means by which to provide protection for the VDI environment: they enable security teams to prevent malware establishing encrypted command and control connections and also to prevent data exfiltration.
Compromising PoS systems Retail breaches overshadowed virtually every other attack vector in late 2013 and 2014. A continuous parade of breach disclosures hit headlines and affected many of the world’s most well-known retail brands. The culprit behind these breaches was malware Continued on page 20...
A SUBSCRIPTION INCLUDES: • Online access for 5 users • An archive of back issues
8 August 2016
www.networksecuritynewsletter.com
Network Security
19
NEWS/CALENDAR ...Continued from page 19 infections on PoS devices. Using a variety of techniques, including brute force and compromising management or software update tools, hackers are able to install malware on PoS systems. The malware scrapes credit card numbers and CVVs from system memory. The most advanced malware strains capture data from inter-process communications, zeroing in on payment card data.
Harder for hackers While these attacks will continue, the migration to chip-and-pin smartcards has made it harder for hackers to monetise the data stolen from POS systems. They won’t be able to use fake magnetic cards and will primarily be relegated to online payment fraud. Targets for PoS attacks include not only the PoS terminals themselves but also the PoS systems and broader infrastructure. Malware is often targeted at the PoS terminals themselves, which are often in remote trading places where public access is possible. This makes them a soft target. Since the PoS terminals will often communicate across the network and externally direct with payment providers it becomes more difficult to discriminate what is legitimate traffic. A compromised server could be used to collect data from numbers of PoS terminals before aggregating the data and forwarding via SSL encrypted connections to the hackers.
“Security teams must ensure that their network defence strategy is capable of keeping up to speed with old nemeses even while spinning up fresh capabilities to counter the new breed” With this in mind, what should organisations do to prevent POS-based breaches? They can protect POS systems from malware using whitelisting, codesigning and behavioural techniques; harden systems against compromise by controlling who and what can access 20
Network Security
POS terminals; and monitor for infiltrations with advanced threat prevention platforms. And since malware can communicate to command and control servers over SSL and over normally harmless protocols like DNS, organisations should inspect all traffic, including encrypted traffic. Organisations should ensure they have solutions capable of inspecting data encrypted using SSL technologies to determine whether traffic is legitimate. Solutions should be able to mitigate command and control connections established from within the organisation.
Conclusion The greatest danger of a varied attack landscape is that each variation is layered on top of the last rather than replacing it. With this approach the volume of threats increases exponentially. Security teams must ensure that their network defence strategy is capable of keeping up to speed with old nemeses even while spinning up fresh capabilities to counter the new breed.
About the author Duncan Hughes is systems engineering director at A10 Networks (www.a10networks.com). He has 25 years’ experience in the field of advanced communication systems, including datacentres, virtualisation, security and application delivery. Hughes joined A10 Networks in 2013 from UK start-up Gnodal. Prior to that he spent some 10 years as the pre-sales manager at Foundry Networks which was acquired by Brocade in 2008. During that time he worked across a broad set of commercial organisations, including financial institutions, service providers, media organisations and government agencies. Prior to Foundry Networks, Hughes worked with a number of organisations including Cable & Wireless, Perot Systems, Case Communications and British Telecom.
Reference 1. ‘2016 IDG Connect DDoS Survey’. IDG/A10 Networks. Accessed Aug 2016. www.a10networks.com/sites/ default/files/A10-MS-23175-EN.pdf.
EVENTS CALENDAR 6–7 September 2016
CyberTech Singapore Singapore http://cybertechsingapore.com/
7–9 September 2016
International Cyber Security & Intelligence Conference Ontario, Canada https://icsic.ocmtontario.ca/
14–16 September 2016 44Con
London, UK www.44con.com
19–20 September 2016 Information Security Network
Reading, UK https://thenetwork-group.com/information-security-network/
21 September 2016
New York Cyber Security Summit New York, USA http://cybersummitusa.com/newyork-2016/
26–27 September 2016
CyberSec: European Cyber Security Forum Krakow, Poland http://cybersecforum.eu/en/
27–28 September 2016
Industrial Control Cyber Security Europe London, UK https://industrialcontrolsecurityeurope. com/
28–30 September 2016
SCADA & Cyber Security for Power & Utilities Industry Berlin, Germany http://bit.ly/29hlbuy
August 2016
About the author
References
Cath Everett has been an editor and journalist for more than 20 years, specialising in information security, employment, skills and all things HR. She has worked in the online world since 1996, but also has extensive experience of print, having worked for publications ranging from The Guardian to The Manager. She returned to the UK from South Africa at the end of 2014 where she wrote a lifestyle blog for International Business Times.
1. ‘Compliance with Court Orders Act’. Draft Bill. Via Document Cloud. Accessed Aug 2016. www.documentcloud.org/ documents/2801010-ComplianceWith-Court-Orders-Act-of-2016. html. 2. Cook, Tim. ‘A message to our customers’. 16 Feb 2016. Accessed Aug 2016. www.apple.com/customer-letter/.
Silent risk: new incarnations of longstanding threats
Duncan Hughes
Duncan Hughes, A10 Networks The security world has a tendency to operate rather like the music singles chart – always looking for and getting excited about the hot new trends, whether that’s Bring Your Own Device (BYOD), the Internet of Things (IoT), drones or some other next-generation technology fad. But the threats of yesteryear don’t die out – they evolve and mutate with increasing speed and complexity. While security teams are engaged in headline-worthy battles with the newest breed of cyber-exploit, criminals are strengthening their hand with developed versions of long-standing attack vectors such as malvertising, amplification distributed denial of service (DDoS) and point of sale (PoS) or virtual desktop infrastructure (VDI) attacks. In light of these continuing risks, it’s worth looking at some of the key ‘evolved’ attack types that security personnel must keep in mind if they are to protect the enterprise from every angle – as well as the best response methods.
Mobile for malvertisers One of the major challenges facing security teams in 2016 is the near ubiquity of mobile devices connecting to enterprise networks. Smartphones and other connected devices are integral in sectors ranging from manufacturing to healthcare. The difficulty comes in trying to control endpoint security. While a device is outside the organisation it
August 2016
cannot be easily protected by corporate threat defence or anti-malware systems. As a result, malware picked up on an unguarded endpoint can have a direct route into the network. This is a particularly dangerous weakness if we consider the continued prevalence of malvertising. In essence, during a malvertising attack the assailant distributes malicious code through online advertising networks. The malicious widgets are hosted by legitimate servers and are purposefully designed to fluctuate and change, resulting in effective blindness for traditional blacklisting security tools. Designed to detect malicious sites, these do not have the agility necessary to block the ads.
Malvertisers frequently take advantage of new exploits, often masked using known methods such as Dynamic DNS to prevent tracking and signature and sandbox evasion techniques to further propagate their malware across advertising networks. As a result, a malware infection most often occurs without triggering an alert from SIEM systems or similar. This enables malicious code to reside on the device without its owner’s knowledge. The device may then be used to gain access to the target’s network, which fails to detect the infiltration entering via a trusted device. Where many conventional computers are equipped with a level of malwareprotection in place, at the very least to the extent that users will be notified of the presence of suspicious code, many mobile devices are rolled out for public use without similar defences in place. The result is an easily exploited gateway in the network. From a network security perspective, advanced threat protection (APT) platforms can help detect malware in web
Network Security
17
FEATURE traffic, intercepting malware en route if not at source. Since many web-based advertisements are now delivered over SSL, organisations should make it a priority to put decryption solutions in place in order to inspect encrypted traffic – typically by inspecting inbound and outbound data on a granular, rather than a machine-by-machine, basis.
“A malware infection most often occurs without triggering an alert from SIEM systems or similar. This enables malicious code to reside on the device without its owner’s knowledge” Often, command and control connections used by malware to establish contact with the perpetrator are masked within SSL connections. It prevents normal threat detection systems from blocking this channel and inhibiting the malware code. If the intent of the attacker is to use malware to gather and export data, this is also often concealed within an SSL connection. The use of SSL visibility platforms gives back control to the organisation, allowing interception of the command and control channel and thus enabling inspection and protection of malicious connections. SSL inspection solutions can also be used to mitigate the potential of data leaks via malware tools, enabling security to map unusual data movements and track their origin.
Amplification attack using open DNS servers.
DNS and NTP are not the only sources of amplification attacks. Attackers can also use SNMP, NetBIOS and other protocols to launch amplification attacks. Attackers have even exploited WordPress applications to carry out large-scale DDoS assaults. Amplification has contributed to the escalating size of DDoS attacks. According to research commissioned by A10 Networks, over the past year the average peak bandwidth of attacks was 30-40Gbps, over 10 times as powerful as the average figure in 2011 (4.7Gbps).1
UDP fuels DDoS amplification attacks
“With DNS and NTP amplification attacks, the attacker impersonates the attack target and sends a small request to a reflector server. This fires an outsized response to the victim, flooding the target network”
For the past five years or so, cybercriminals have exploited DNS and NTP servers to amplify the size of their DDoS attacks. With DNS and NTP amplification attacks, the attacker impersonates the attack target and sends a small request to a reflector server. This fires an outsized response to the victim, flooding the target network. DNS amplification attacks can increase the size of DDoS attacks by up to 54 times, while NTP amplification attacks can magnify DDoS by a factor of 556.
One of the challenges of detecting and mitigating amplification attacks is that trusted sites that host legitimate user datagram protocol (UDP) services are often unwittingly used by attackers to amplify the attack. This not only provides the scale needed to create the very large traffic volumes associated with amplification attacks but also gives the source traffic credibility. However, the real story has been the increase in the average packets
18
Network Security
per second for typical DDoS attacks; attack rates in Q1 2016 have rocketed to an average 50-80 million packets per second (Mpps), up from 7.8Mpps in 2013. Many of the largest DDoS attacks over the past two years have been amplification attacks. Moreover, attackers continually investigate new attack vectors, as witnessed by the discovery of DVMRP-based reflection attacks in 2014. Disclosed by Team Cymru, Distance Vector Multicast Routing Protocol (DVMRP) reflection attacks have already been observed by service providers. To protect against amplification attacks in 2016, organisations need to deploy security equipment that can mitigate large-scale DDoS attacks. DDoS mitigation solutions employed to provide protection should be able to define a peacetime baseline of the UDP application traffic volume and apply limits to traffic exceeding that volume. This level of visibility is particularly important as it allows finer tuning of policies to surgically defend against the specific attack while still allowing legitimate traffic through. In addition to this, network controllers must consider what steps can be taken to ensure their systems are not abused in turn, preventing them being used as an amplifier within an attack. If an organisation’s infrastructure is compromised in this way it will cause serious reputational damage. In addition, it could lead to subsequent service
August 2016
FEATURE
The average peak bandwidth of DDoS attacks has risen to 30-40Gbps. Source: A10 Networks.
interruptions if it became classified as a bad actor.
VDI and the ‘security storm’ Virtual desktop infrastructure (VDI) allows organisations to host desktop environments on servers and enables users to access these desktops from any location. Compared to traditional desktop infrastructures, VDI provides a host of advantages – organisations can lower hardware and operating costs, support BYOD initiatives, and bolster security. Since all data is stored in a central location, rather than on endpoint devices, VDI also reduces physical data theft risks.
“If an organisation’s infrastructure is compromised it will cause serious reputational damage. Moreover, it could lead to subsequent service interruptions if it became classified as a bad actor” However, desktop virtualisation also exposes new security challenges.
Organisations often host multiple desktops with the same operating systems and the same set of applications on a single physical server. Without proper isolation, an attacker can install a rootkit and compromise multiple desktops. With limited system diversity, attackers might uncover a vulnerability, allowing them to quickly exploit thousands of desktops in one fell swoop. Attackers are now executing more brute force attacks on virtual desktops than ever before.
“Using a variety of techniques, including brute force and compromising management or software update tools, hackers are able to install malware on PoS systems” One of the big challenges with VDI environments is addressing the ‘security storm’ issue. This is where multiple security tools running on the same machine contend for system resources. In a number of organisations, IT teams have resorted to disa-
bling some security tools either permanently or on a casual basis in order to mitigate this problem. This approach effectively leaves multiple attack target points exposed at any one time. Just like desktop machines, virtual machines are exposed to software vulnerabilities. Users in a VDI environment can download software programs that expose the system to malware by inadvertently clicking malicious links. Security tools disabled only for a brief period of time still leave the virtual machine as exposed as the underlying physical one. As a result, the security of the VDI environment needs to be considered separately from the enterprise access network and given a different set of requirements. To protect VDI environments, organisations should implement operating system or application isolation – especially if virtual desktops are hosted in the cloud. Organisations should also control how data can be transferred to and from VDI environments. Install anti-malware software in the environment and monitor for intrusions. SSL inspection solutions are also an effective means by which to provide protection for the VDI environment: they enable security teams to prevent malware establishing encrypted command and control connections and also to prevent data exfiltration.
Compromising PoS systems Retail breaches overshadowed virtually every other attack vector in late 2013 and 2014. A continuous parade of breach disclosures hit headlines and affected many of the world’s most well-known retail brands. The culprit behind these breaches was malware Continued on page 20...
A SUBSCRIPTION INCLUDES: • Online access for 5 users • An archive of back issues
8 August 2016
www.networksecuritynewsletter.com
Network Security
19
NEWS/CALENDAR ...Continued from page 19 infections on PoS devices. Using a variety of techniques, including brute force and compromising management or software update tools, hackers are able to install malware on PoS systems. The malware scrapes credit card numbers and CVVs from system memory. The most advanced malware strains capture data from inter-process communications, zeroing in on payment card data.
Harder for hackers While these attacks will continue, the migration to chip-and-pin smartcards has made it harder for hackers to monetise the data stolen from POS systems. They won’t be able to use fake magnetic cards and will primarily be relegated to online payment fraud. Targets for PoS attacks include not only the PoS terminals themselves but also the PoS systems and broader infrastructure. Malware is often targeted at the PoS terminals themselves, which are often in remote trading places where public access is possible. This makes them a soft target. Since the PoS terminals will often communicate across the network and externally direct with payment providers it becomes more difficult to discriminate what is legitimate traffic. A compromised server could be used to collect data from numbers of PoS terminals before aggregating the data and forwarding via SSL encrypted connections to the hackers.
“Security teams must ensure that their network defence strategy is capable of keeping up to speed with old nemeses even while spinning up fresh capabilities to counter the new breed” With this in mind, what should organisations do to prevent POS-based breaches? They can protect POS systems from malware using whitelisting, codesigning and behavioural techniques; harden systems against compromise by controlling who and what can access 20
Network Security
POS terminals; and monitor for infiltrations with advanced threat prevention platforms. And since malware can communicate to command and control servers over SSL and over normally harmless protocols like DNS, organisations should inspect all traffic, including encrypted traffic. Organisations should ensure they have solutions capable of inspecting data encrypted using SSL technologies to determine whether traffic is legitimate. Solutions should be able to mitigate command and control connections established from within the organisation.
Conclusion The greatest danger of a varied attack landscape is that each variation is layered on top of the last rather than replacing it. With this approach the volume of threats increases exponentially. Security teams must ensure that their network defence strategy is capable of keeping up to speed with old nemeses even while spinning up fresh capabilities to counter the new breed.
About the author Duncan Hughes is systems engineering director at A10 Networks (www.a10networks.com). He has 25 years’ experience in the field of advanced communication systems, including datacentres, virtualisation, security and application delivery. Hughes joined A10 Networks in 2013 from UK start-up Gnodal. Prior to that he spent some 10 years as the pre-sales manager at Foundry Networks which was acquired by Brocade in 2008. During that time he worked across a broad set of commercial organisations, including financial institutions, service providers, media organisations and government agencies. Prior to Foundry Networks, Hughes worked with a number of organisations including Cable & Wireless, Perot Systems, Case Communications and British Telecom.
Reference 1. ‘2016 IDG Connect DDoS Survey’. IDG/A10 Networks. Accessed Aug 2016. www.a10networks.com/sites/ default/files/A10-MS-23175-EN.pdf.
EVENTS CALENDAR 6–7 September 2016
CyberTech Singapore Singapore http://cybertechsingapore.com/
7–9 September 2016
International Cyber Security & Intelligence Conference Ontario, Canada https://icsic.ocmtontario.ca/
14–16 September 2016 44Con
London, UK www.44con.com
19–20 September 2016 Information Security Network
Reading, UK https://thenetwork-group.com/information-security-network/
21 September 2016
New York Cyber Security Summit New York, USA http://cybersummitusa.com/newyork-2016/
26–27 September 2016
CyberSec: European Cyber Security Forum Krakow, Poland http://cybersecforum.eu/en/
27–28 September 2016
Industrial Control Cyber Security Europe London, UK https://industrialcontrolsecurityeurope. com/
28–30 September 2016
SCADA & Cyber Security for Power & Utilities Industry Berlin, Germany http://bit.ly/29hlbuy
August 2016