Keeping up with Cybersecurity

What is Cybersecurity?

The National Institute of Standards and Technology (NIST) defines cybersecurity as “the prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems” [1].

New technological initiatives and trends, such as “bring your own device”, the internet of things (IoT), cloud-based applications and distributed ledger technologies have fuelled (and continue to bring about) a rapid growth in the global cybersecurity market. Contributors to this market growth also include the evolving security requirements, frameworks and data protection mechanisms corresponding to such trends.

However, at its core, cybersecurity involves protecting information systems, and the data that they process, from cyber threats.

The onslaught of evolving technological trends is also met by skilful cyber-adversaries which implement increasingly sophisticated cyber-attacks to exploit an Organisation’s vulnerabilities. Some of the key threats to look out for are listed below:

The infamous 'H'

When discussing cyber threats, ‘Hacking’ is a word that gets thrown around far too often and the true nature of it becomes blurred. Similar to battles in history, no two hacks are exactly alike - Hackers use similar strategies and tactics which are time-proven to be effective.

For instance, hackers may:

First use social engineering to gather information about a target, whether this is a person or an organisation, by convincing employees or individuals to give up personal or sensitive information;
Then unveil an organisation’s vulnerabilities by performing vulnerability scans prior to an attack;
Finally gain unauthorised privileged access to a system and use rootkits to hide their presence on a system.

A very abridged list of hacking techniques includes the use of Malware, Phishing and Denial of Service (DoS).

Malware

Malware refers to various types of harmful software used by hackers to gain a foothold in users’ computers, which include Viruses, Trojans, Rootkits, Bots, Worms and Ransomware.

Capabilities of malware extend from taking control of one’s machine (such as via Ransomware), to monitoring one’s activity (such as via Trojans) and sneaking out sensitive data from a system (such as via Bots).

Social engineering is one way a hacker might inject malware into a system, but other vulnerabilities are also often used, such as: requesting a user to click on a link, download a file, or open an attachment, which may all look legitimate, but would give the hacker a free pass to install malware on the user’s computer.

Phishing and Business E-mail Compromise (BEC)

Similar to fishing in a lake, cyber-criminals use phishing to capture information from unsuspecting users. The bait is oftentimes a seemingly legitimate e-mail sent to unsuspecting users. The catch can be anything from personal, to sensitive company data and financial information, as the e-mail may state that a user’s information needs to be updated, that a password needs to be renewed, or that a credit card number needs to be verified.

You may not be the catch of the day, however, even if you visit the false website and just enter your username and password, the phisher may be able to gain access to more information by just logging in to your account.

According to the FBI, criminals made at least $676 million in 2017 with business e-mail compromise (BEC) campaigns. These attacks are a con game that scammers start with spear phishing – which is phishing but targeted to a specific person [2].
In 2013, a hacker impersonated a large Asian-based manufacturer requiring payments for computer supplies and managed to scrape $100 million from firms, which included internet giants such as Google and Facebook [3].

Denial of Service (DoS)

Denial of Service (DoS) attacks are intended to overload a machine, server or network with an overwhelming amount of traffic, to make services inaccessible to the targeted audience.

Malicious DoS attacks have been used by hackers to extract money, to make some kind of statement, and by States to threaten or punish their adversaries [4].

How high is the risk of threat?

Mathematically, risk is defined as Probability times Loss. Similarly, in information security, risk is dependent on the Vulnerability (which exposes a system to threats), the Threat itself (which depends on forces of nature, human deliberate or accidental intent, capability and opportunity) and Consequence [5].

Vulnerabilities and Threat actors will persist, and will not always be within reasonable control, especially when using interconnected technological systems. Nevertheless, an Organisation’s approach should be focussed on lessening their potential consequences. Following is a brief list of security best practices, which for context, correspond to the cyber-threats listed previously.

Establish policies to get the ball rolling – Salient controls should be defined in an Information Security Policy, a Password Policy, a NDA Policy for contractors/third-parties, an Internet Usage Policy and a System Access Control Policy, to mention a view.
Consider the ties between cybersecurity and human error – Provide frequent and sufficient training for employees at different levels of your Organisation. Use quizzes, tests, daily reminders, present catastrophic case-scenarios of cyber-attacks in industry, and any other means necessary to teach employees how to look out for and prevent threat.
Make the training in (2) Mandatory.
Repeat (2) (to a different degree) with contactors and third-parties that access your information system.
Develop a robust incident management system – Keep up with hackers who are constantly improving their skills; Ensure appropriate incident response and business continuity plans are in place to be more effective during attacks. This may mean categorising different incidents, identifying resources needed to respond to any of these incidents and training an incident response team.
Use Intrusion Prevention and Intrusion Detection systems (IPS and IDS), Firewalls, and Antivirus Software.