Cyber Security - Do you know the risks?
Over the past 18 months, the world has witnessed ever larger and more frequent security breaches of trusted IT systems. NHS, Target, Anthem, Sony, Uber… the list is getting longer. The costs are increasing – executives are getting fired and companies are losing market value as consumer trust wavers. While all of this is terrifying, the consequences of future cyber crimes will be even more dire. The perpetrators – organised, profit-motivated global crime rings and state-sponsored entities looking to advance political ideologies – are getting stronger.
Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses. Cyber security will only become more important as more devices are connected to the Internet. While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organisations of all sizes, these new technologies have also brought unprecedented threats.
An effective cyber security posture should be proportional to the risks faced by each organisation, and should be based on the results of a risk assessment.
All organisations face two types of cyber attack:
They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).
They will be attacked by opportunists because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity will have exploitable vulnerabilities unless it has been specifically tested and secured.
Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Therefore, all organisations need to understand the cyber threats they face, and safeguard against them.
Cyber risks can be divided into three distinct types:
Conducted by individuals working alone or in organised groups. Cyber criminals are intent on extracting money, data or causing disruption. Cyber crime can take many forms, including the acquisition of credit/debit card data and intellectual property, and impairing the operations of a website or service.
A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of advanced persistent threats (APTs).
An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyberspace. Organisations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure, and very high-profile institutions. It is unlikely that most organisations will face the threat of cyber war or cyber terror.
Cyberspace is unregulated and it is increasingly simple and inexpensive to commit cyber crime; criminals can even buy off-the-shelf hacking software, complete with support services. Congruent with the rapid pace of technological change, the world of cyber crime never stops innovating. Every month, Microsoft publishes a bulletin of the vulnerabilities of its systems, an ever-growing list of known threats, bugs and viruses. For a more complete overview of cyber security threats, mailing lists such as Bugtraq can provide up-to-date resources listing all new bugs.
Types of malware
Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous types of attack that broadly fall under the umbrella term ‘malware’ (malicious software). These include:
Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.
Technique: A virus is a small piece of code that can replicate itself and spread from one computer to another by attaching itself to another computer file.
Aim: Exploit weaknesses in operating systems to damage networks and deliver payloads that allow remote control of the infected computer.
Technique: Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.
Aim: Take control of your computer and/or collect personal information without your knowledge.
Technique: Spyware/adware can be installed on your computer when you open attachments, click on links or download infected software.
Aim: Create a ‘backdoor’ on your computer by which information can be stolen and damage caused.
Technique: A Trojan virus is a program that appears to perform one function (for example, virus removal) but actually performs malicious activity when executed.
There are also a number of attack vectors available to cyber criminals that allow them to infect computers with malware or harvest stolen data:
Phishing – An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites. See ‘social engineering’ below.
Pharming – An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised. See ‘social engineering’ below.
Drive-by – Opportunistic attacks against specific weaknesses within a system.
Man in the middle (MITM) – An attack where a middleman impersonates each endpoint and is able to manipulate both victims.
Social engineering – An exploitation of an individual’s weakness, achieved by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.
In order to achieve real cyber security, today’s organisations have to recognise that software alone is not enough to protect them from cyber threats. The three fundamental domains of effective cyber security are people, processes and technology.