Human beings have a natural tendency to remember good times and push to the back of their minds some more difficult issues in life. Basically most of us have a tendency not to focus on things that are not perceived to be likely to happen in the short term and can overlook the inevitability of unexpected problems that will occur later.
Protection of an organization’s data is vital, especially in today’s environment where access to data is seemingly easily obtained, and is one of an organisation’s most important assets. Most organisations do have controls to prevent unfettered access to data through access controls etc. However, just like we can temporarily ignore the inevitability of future personal problems we can also overlook the certainty of potential breaches of our IT security over data. Where there is information there will be someone, somewhere at some time looking to access that data inappropriately.
The subject of data security is very broad and we thought it would be worthwhile to discuss certain risks that organisations can often overlook. Before doing so it is important to recognize the frequency of breaches of security, where they typically occur and the lack of knowledge and skills that are available in the market place. Recently the Information Systems Audit and Control Association (“ISACA”) conducted a survey of cybersecurity managers and published a State of Cybersecurity – Implications for 2016. Some of the highlights from that survey are summarized below:
Type and frequency of daily incidences of malicious activity
|Type of activity||%|
|Online identity theft||4|
|Loss of intellectual property||1|
|Intentional damage to computer systems||1|
It is concerning that in organizations this amount of daily malicious activity is occurring. Organizations are obviously not taking their security responsibilities seriously enough!
Qualified applicants – how many cybersecurity security applicants are qualified upon hire?
Percentage qualified on hire
|Percentage surveyed (%)|
|20 – 50%||11|
Clearly there are not enough skills in the marketplace to address the cybersecurity threats and organisations need to ensure that appropriate recruiting/screening and training practices are adopted.
Malicious code/software (malware) is any software that gives partial to full control of your computer to do whatever the malware creator wants. Malware can be a virus, worm, trojan, adware, spyware, root kit, etc. It is very common for people to use the word “virus”. However, it’s just one of many types of malware.
The impact of malware can be very different. It includes using your computer (without your knowledge) to conduct attacks or spread spam/viruses to formatting your hard drive. Additionally it can build on your computer (without your knowledge) a platform for the next attack and encrypt your files. It can also ask for a ransom to be paid (Ransomware is another type of malware).
Malware mitigation controls generally include Anti-Virus, Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), firewalls, hardware and software for detecting Advanced Persistent Threats. However, as we know “a chain is only as strong as its weakest link” and the weakest link is not surprisingly humans. Therefore, security awareness training remains one of the most important controls.
Although most people have heard of the term hacking many do not have a comprehensive knowledge of what is involved in this and what risks there can be to an organisation. A computer hacker is somebody skilled at manipulating computers. Generally, the term hacker is used to refer to a person who breaks into computer systems. Hackers may do this for material gain, to harm another person or as a prank. A hacker may also have more positive motivations — some hackers aim to expose security flaws before other, less scrupulous people can exploit them. While hacking is often thought of a computer expert sitting in front of a computer, hackers can also utilise social situations where an individual may inadvertently disclose personal information which then can used to break down passwords etc.
In addition where hacking occurs there are often cases where employees have valid access to information but can use this access for inappropriate uses. For an example an employee could access an organisations proprietary information for personal use or could pass that information on to third parties for personal gain. This can be detected by monitoring the transfer of large amounts of sensitive information from the organization and how this was done. In addition monitoring the timing of the use of computers can be done i.e. why is a person regularly accessing an organizations information at 10pm when he/she finishes work at 5pm.
When a network or systems gets compromised by hacking, we typically look for several controls:
• Preventative Controls: Intrusion Detection Systems, Anti-Viruses, Fire-Walls, Web Filtering Services; however these controls are good only for “known” threats, when vendors have developed signatures for them;
• Detective Controls: Advanced Persistent Threats are one of the most sophisticated and dangerous threats; only behavioural-like detection systems can detect and identify them;
• Security Awareness: despite all advanced technologies humans are the weakest point. “Security is only as good as your weakest point” – this statement relates to hackers but also applies to all areas of IT security.
Also there are many cases, when hackers are able to gather some minor but key information about employees by wearing “service” or “janitor” work robes, come to the offices and steal all sorts of assets (from documents to laptops). This can be prevented by building security, automatic logging off, passwords etc.
Additionally, the SANS Institute (a cooperative research and education organization) promotes the idea of laired security. This promote: a) company personal have good security awareness; b) company employees adhere to all types of security controls, from physical security (an employee must have an access card in order to enter to floor) to finishing administrative access controls (an employee must complete yearly security awareness training and sign the company compliance policy).
Online identity theft
Identity theft is a deliberate use of somebody else’s identity for impersonating someone else. The purpose of identity theft can be to facilitate financial gain (obtaining credit details etc.) and obtaining medical information (medical care or drugs), as well as terrorism and espionage (obtaining unauthorised information).
Mitigation controls for identity theft include security awareness, fraud detection and prevention software, strong authentication etc. However, conducting an Information Risk Assessment, which includes a Privacy Impact Assessment, is one of the key controls for managing risks associated with identity theft.
General Computer Controls
While the vast majority of organisations will have processes and controls in place to authorise its employees to have access to their systems and to ensure that inappropriate access is avoided including conflicts, these processes and controls need to be monitored on a periodic basis to ensure that they are still operational and effective.
Tip of the Iceberg
This article has described briefly some of the main cyber-security threats but there are many more that security conscious organisations should be aware of and have preventative or detective controls in place. Do not incur expensive security breaches – continuously monitor the position. There is no unique/universal model for protecting organization’s/company’s assets – there is no “ideal” security model. All companies and organizations are different: starting from the nature of the business and finishing with the culture and company’s style. This is why it is very important to engage security professionals, so they can assess, audit and develop the security controls, which are most applicable to your organization. PFC can assist with all aspects of IT Security.
Do not wait for the shark to bite you! – Act Early – Let’s talk.
For further discussion on this subject please contact PFC representative or e-mail: firstname.lastname@example.org or call us: +1(403) 375 9955