Cyber security or information technology security are the techniques of protecting computers, networks, programs and data from unauthorized access or attacks that are aimed for exploitation.While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organisations of all sizes, these new technologies have also brought unprecedented threats with them. Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses. Cyber security will only become more important as more devices, ‘the internet of things’, become connected to the internet.Ensuring cybersecurity requires coordinated efforts throughout an information system. Elements of cybersecurity include:
- Application security
- Information security
- Network security
- Disaster recovery / business continuity planning
- End-user education.
One of the most problematic elements of cybersecurity is the quickly and constantly evolving nature of security risks. The traditional approach has been to focus most resources on the most crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks not protected against. Such an approach is insufficient in the current environment.
Introduction to cyber risks
Cyber risks can be divided into three distinct areas:
Conducted by individuals working alone, or in organised groups, intent on extracting money, data or causing disruption, cyber crime can take many forms, including the acquisition of credit/debit card data and intellectual property, and impairing the operations of a website or service.
A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of Advanced Persistent Threats (APTs).
An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.
As well as protecting your critical assets, customer details and your operating systems, effective cyber security can also help organisations win new business by providing assurances of their commitment to cyber security to their supply chain partners, stakeholders and customers.
In order to achieve real cyber security, today’s organisations have to recognise that expensive software alone is not enough to protect them from cyber threats. The three fundamental domains of effective cyber security are: people, process and technology.
WHY YOU REALLY NEED TO WORRY ABOUT CYBER SECURITY ?
With society practically running off computers and the Internet, cyber security is a real threat to many businesses and homes. Recent attacks have pushed lawmakers to try and approve legislation that will requires companies to raise their security in their computer systems. This movement is aimed towards prevent worms, viruses, and any other malicious software that could cause a cyber attack. There are three main threats that cyber hacking poses including cyber monetary theft, intellectual property theft, and cyber wars. The last encompasses the potential of another country attacking the United States and severely impacting banking and finances.
Since most industries are now dependent on the use of computers and internet to conduct business, accessing the control system could wreck havoc, leading to a significant amount of damage and downtime. Sony is a great example of a security breach that left everyone baffled. Not only did the attack inhibit the company from using their computers for days, but they had to spend a significant amount of money to disengage the hackers from accessing additional information. The FBI determined that the attack originated in North Korea and infiltrated the system through sending employees emails containing graphic images.
Breaches Across Every Industry
This is not the only cyber security breach that has happened recently. A number of healthcare and pharmaceutical companies have been the target of cyber hackings as well. Furthermore, the number of cyber attacks happening every year has dramatically increased. The main source of cyber attacks come from individuals who are searching for valuable and potentially condemning information that they can sell on the black market. Additionally, breaches have been attempted for the purpose of stealing military information that could spell disaster for our country. If companies invested more into business process management systems, they could become more capable of change, especially in a world where cyber security is a real threat.
While most people do not believe that they could be the target of an attack, hackers have tried to keep a low profile through gaining network access through those who least expect it and then move up the chain until they reach their intended goal. Companies like Blue Coat and IBM have advised businesses to invest more in protecting their security, but given the gravity of recent attacks, it comes as a surprise to many that the typical amount of revenue businesses devote to IT budgets is a mere five percent.
The JPMorgan Chase Disaster
If you aren’t convinced of the level of threat cyber attacks are to you personally, think of the recent hacking of JPMorgan Chase, which left over 76 million customers’ information exposed. Since this invasion, the company doubled its security budget, allocating $500 million per year to this daunting task. A budget like that not only goes into preventing attacks, but also discovering the breaches quickly to limit the damage. If a hacker successfully accesses the network, protections requiring extra logins, authentication, and encryption of data can be put into place so they are unable to obtain sensitive information.
With an unlimited amount of applications, mobile devices, and computers, attacks have grown to an all-time high. Often, attacks can be successfully done by simply connecting to unsecured Wi-Fi networks. Although a number of companies have since emerged, claiming to help stop or reverse cyber security attacks, it has been difficult for them to keep up with the ever-evolving and ingenious ways that hackers are accessing data. Overall, there is a general lack of security awareness. Individuals need to be educated on the dangers that exist in the cyber world. More company trainings need to focus on security in addition to the standard subjects involving computer systems, software program use, and other relevant subjects. The only way to beat the cyber security threats that exist is to creatively find solutions to one of today’s most significant economic risk.
WHERE’S THE DATA?
Companies that understand the value that security brings to the business also ensure that they have a comprehensive strategy in place—and that they have the processes and procedures to back up their vision. The guiding principles for strategy are driven, in large part, by their data. Companies will want to ask a seemingly simple question: What’s our most sensitive data? Surprisingly, many companies can’t begin to answer that question. Company leaders will need to identify their most sensitive data. They’ll consider business assets like intellectual property, as well as information that they have a fiduciary responsibility to protect, including customer, business partner, or employee data. As companies undertake this foundational exercise, they will ask: What data do we have? Where are they located? What laws and regulations apply to them? What controls do we have around them? Are we sending data to third parties? If so, is it being handled securely? There’s much work to be done here: In the survey, only 29 percent of companies have an accurate inventory of data—a decline of 10 percent from just two years ago. For companies that have grown through mergers and acquisitions, there’s the additional hurdle of getting a handle on disparate data sources—not to mention different policies, processes, and systems that were inherited with each merger or acquisition. In the process of evaluating what’s currently in place and where the company’s attention needs better focus, some organizations find it helpful to conduct an outside assessment of their current operations. Often, when companies get a glimpse into what really is going on, they are surprised. They discover that the biggest problems may be caused by their employees. For example, companies may find that workers lack even a basic awareness of the information security risks to which employees are subjecting the business when they don’t follow policy—for example, they fail to change default passwords or they leave their computers on when they go home. Some companies bring in outside security experts to conduct an assessment, particularly if an organization wants to test the security of its networks. This so-called ethical hacking attempts to penetrate a company’s network to pinpoint vulnerabilities.In our work as security specialists, the trend we’ve observed is that companies have become much better about protecting the organization from the outside. But once a perpetrator is able to gain access to an internal network—whether by walking in the door and plugging into a network jack or via malware that is dormant on a USB drive that an employee picks up in the parking lot and plugs into his networked computer—we always have been able to gain levels of unauthorized access. A security assessment also might reveal that the company has not kept up with a changing IT environment, especially one in which business units or employees have independently added their own devices or applications to the mix. All too often, businesses maintain the status quo but don’t adequately address how these latest technologies and new ways of working put them at risk.
TYPES OF MALWARE
Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous means of attack available, which broadly fall under the umbrella term of malware (malicious software). These include:
Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.
Technique: A small piece of software program that can replicate itself and spread from one computer to another by attaching itself to another computer file.
Aim: By exploiting weaknesses in operating systems, worms seek to damage networks and often deliver payloads which allow remote control of the infected computer.
Technique: Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.
Aim: To take control of your computer and/or to collect personal information without your knowledge.
Technique: By opening attachments, clicking links or downloading infected software, spyware/adware is installed on your computer.
Aim: To create a ‘backdoor’ on your computer by which information can be stolen and damage caused.
Technique: A software program appears to perform one function (for example, virus removal) but actually acts as something else.
STRATEGIES FOR STRENGTHENING THE BUSINESS
With so many risks, business leaders may be unsure of where to focus. In our experience, it is crucial to elevate the role of information security in the organization and emphasize the fact that it is not just a technology function. As a make-or-break business issue, it requires a leader who reports directly to a senior executive. The title of the person—chief security officer, chief information security officer, security director—isn’t what matters. Instead, it’s the ability of that individual to bring security issues to the C-suite and help the management team think and talk about how security affects every other business decision.
Effective security leaders consistently demonstrate the linkages between security and the company’s goals. They remind the rest of the management team that security is a strategic issue. In the survey, the Front-runner group emphasized this approach by citing client requirements as the driving force behind the company’s information security investments. The other respondents pointed to legal and regulatory requirements as the main justification for information security spending in their organizations.
An organization that embraces this mindset, for example, might engage the security leader and the sales leader, together, to consider how better information security can help close or speed sales. They might determine that having well-documented information security controls, processes, or certifications in place enables them to anticipate and address customer concerns immediately when or before the issue first is raised.
Some companies we work with find it effective to have security leaders embedded within each business unit. These individuals report to line-of-business heads and work directly with them to evaluate how security can support each group’s business goals.
There are also a number of attack vectors available to cyber criminals which allow them to infect computers with malware or to harvest stolen data:
An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites. See ‘social engineering’ below.
An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised. See ‘social engineering’ below.
Opportunistic attacks against specific weaknesses within a system.
‘Man in the middle attack’ where a middleman impersonates each endpoint and is thus able to manipulate both victims.
- Social engineering
Exploiting the weakness of the individual by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.
BACK IN THE CORPORATE WORLD
Is cybersecurity still considered a purely technical matter? Or do businesses understand that it is the lynchpin for safeguarding their most precious assets—intellectual property, customer information, financial data, employee records, and much more?
It depends upon whom you ask. The PwC, CIO, and CSO survey revealed that executives may say and believe one thing, but the data and expert analysis indicate that they do another. First, the survey asked, How confident are you that your organization’s information security activities are effective? Seventy-two percent of respondents answered that they were very confident or somewhat confident.4 However, when executives were asked to characterize their company’s approach to information security, identifying whether they possess an information security strategy and have proactively implemented it, the positive results took a nosedive. 14% of executives surveyed admitted to lacking a strategy and being reactive when it came to information security.Just 43 percent of respondents self-identified as Front-runners; that is, those who felt they have an effective information security strategy in place and are proactive in executing the plan. Those who saw themselves as Strategists (27 percent) felt they have the big picture right but fall down on execution, while Tacticians (15 percent) said they are better at getting things done than in defining a broader strategy. Finally, the Firefighters (14 percent globally but 22 percent in the US) admitted to lacking a strategy and to being reactive regarding information security.But when it came time to let the data do the talking, the companies that were “walking the walk” and not merely “talking the talk” were significantly fewer: just 13 percent of respondents. These leading companies not only have an information security strategy in place, but they demonstrate a number of other leading practices, including having a high-level security chief, regularly measuring and reviewing the effectiveness of their policies and procedures each year, and possessing a deep understanding of the types of security events that have occurred in their organizations.
Cyber espionage is the practice of using information technology to obtain secret information without permission from its owners or holders. Cyber espionage is most often used to gain strategic, economic, political, or military advantage. It is conducted through the use of cracking techniques and malware. In the US, the Office of the National CounterIntellegence Executive released a report in 2011 officially acknowledging the legitimate threat of cyber espionage and its potential to damage the United States’ strategic economic advantage. In a subsequent opinion piece in the Wall Street Journal, former Director of Homeland Security Michael Chertoff elaborated on the economic impact of China’s cyber espionage of intellectual property, which he likens to the “source code” of today’s advanced economies. Through the utilization of its massive and inexpensive workforce, China has cheaply and efficiently driven a number of these ideas directly into production. As the fruits of costly investments in research and development from the hosting nation-states, the theft of these innovations is an immense strategic and economic loss to the targets.
With cyber threats in a state of rapid and continuous evolution, keeping pace in cyber security strategy and operations is a major challenge to governments. Cyber security is a serious concern to private enterprise as well, given the threat to intellectual property and privately-held critical infrastructure. Advisory organizations such as The National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) have recently updated guidelines to promote a more proactive and adaptive approach that prescribes continuous monitoring and real-time assessments.
MAJOR AREAS COVERED IN CYBER-SECURITY
1) Application Security
2) Information Security
3) Disaster recovery
4) Network Security
Application security encompasses measures or counter-measures that are taken during the development life-cycle to protect applications from threats that can come through flaws in the application design, development, deployment, upgrade or maintenance. Some basic techniques used for application security are: a) Input parameter validation, b) User/Role Authentication & Authorization, c) Session management, parameter manipulation & exception management, and d) Auditing and logging.
Information security protects information from unauthorized access to avoid identity theft and to protect privacy. Major techniques used to cover this are: a) Identification, authentication & authorization of user, b) Cryptography.
Disaster recovery planning is a process that includes performing risk assessment, establishing priorities, developing recovery strategies in case of a disaster. Any business should have a concrete plan for disaster recovery to resume normal business operations as quickly as possible after a disaster.
Network security includes activities to protect the usability, reliability, integrity and safety of the network. Effective network security targets a variety of threats and stops them from entering or spreading on the network. Network security components include: a) Anti-virus and anti-spyware, b) Firewall, to block unauthorized access to your network, c) Intrusion prevention systems (IPS), to identify fast-spreading threats, such as zero-day or zero-hour attacks, and d) Virtual Private Networks (VPNs), to provide secure remote access.
YOUR BUSINESS MATTERS
Our clients all have in common that they are front runners in their industry as well as within information security. They already have a high security level, but challenge themselves to improve even further. It is within such an ambitious environment that the SECURITY4SURE Cyber Security Services advice has been essential, and proven itself to a large number of enterprise sized companies across Europe and beyond.
Every industry is different. With business processes, information requirements and security standards that are unique. Acknowledging that, SECURITY4SURE Cyber Security Services has specialized in the industries below. They are the most challenging industries from a security perspective and through a long lasting cooperation SECURITY4SURE Cyber Security Services has a deep understanding of our clients’ business. This results in the best possible return on investment for you as a decision maker in information security.
We at SECURITY4SURE Security Services aim to protect our clients from any unwanted attention, which is why we do not present references or case stories on our web pages.
The financial industry Open or Close:-
The industry is undergoing major changes, from right-sizing following the financial crisis to finding new routes to market via online payment and mobile platforms. At the same time regulatory compliance and rising transaction costs drive the need for new infrastructure and new cost efficient and secure applications. In short an environment where IT is both the enabler and the introducer of new risks. We are already advising a large number of financial institutions in Europe and believe that we understand your security needs.
Service providers Open or Close:-
Handling big data and keeping them confidential is the nature of this industry. It faces many challenges that are driven by a changing customer landscape and by new technologies. Add to this, compliance standards, privacy law changes, and national interests and you have an absolute need to excel in information security or face threats to your entire business model. This is where F-Secure Cyber Security Services can help you get ahead of the curve.
Gambling & Gaming Open or Close:-
Your industry is growing rapidly and new ideas and concepts emerge daily. Your customer segments change, authorities’ regulation changes, and your internal and external threat landscapes need weekly updating. Add to these, human factors involving social engineering, phishing, and organized crime and you may find yourself in a perfect storm of information security challenges. F-Secure Cyber Security Services takes a proactive approach to remedy this situation, stretching from awareness training over secure coding training to the application of our vast experience from gaming and gambling security projects around the world. Our advice can help you through the systems development lifecycle as well as provide you with input for senior management.
Critical Infrastructure Open or Close
Protecting national interests used to be the job of soldiers and the police. Now many countries realize that their most important infrastructure may be the primary target. An efficient way of bringing a country to its knees is by targeting energy supplies, communication lines, and government services. Add to this that your foes may have had access to your systems for extended time periods and you face a cocktail of information security risks that can be difficult to navigate and defend yourself from.
World leading brands Open or Close:-
Your people and your brand are your strongest assets and they represent your intellectual property. Years of building the proper image has positioned you as a world leading brand and shareholder value is at the forefront of your management minds. Protecting this in an online, globalized world where copyright is often seen as “the right to copy” is a challenge even for the best information security team.
INTRODUCTION TO CYBER CRIMINALS
Cyberspace is unregulated and cyber crime is increasingly simple and cheap to commit: the Fortinet 2013 Cybercrime Report found that an effective botnet – a network of private computers infected with malicious software and controlled without the owners’ knowledge – can be established for as little as $700 (about £420), or can be rented for just $535 (about £320) per week. Cyber criminals can now even buy off-the-shelf hacking software, complete with support services.
Congruent with the rapid pace of technological change, the world of cyber crime never stops innovating either. Every month, Microsoft publishes a bulletin of the vulnerabilities of its systems, an ever-growing list of known threats, bugs and viruses.
The companies in this top tier—whom we refer to as security leaders—understand that they are up against different types of cyberthreats. There essentially are four types of attacks, each of which has a different motive. It’s helpful to think of these as storm waves, swirling around your business. At any given time, it is impossible to know which wave will hit and what type of damage it will wreak.
The first and oldest wave is nuisance hacking, in which there is little material impact to the company. A classic example is hackers defacing your company’s website. More serious and widespread is the second wave, which is hacking for financial gain.As business has migrated to the digital world, criminals have, too. What has emerged is a sophisticated criminal ecosystem that has matured to the point that it functions much like any business—management structure, quality control, offshoring, and so on. This type of hacking now goes beyond blindly stealing customer credit card information or employee passwords. For example, hackers might target a company’s financial function in order to obtain its earnings report before it is publicly released. With such advance knowledge, they can profit by acquiring or dumping stock. Protecting the business from cybercrime is one thing, but companies also must worry about a new type of risk—the advanced persistent threat. If you think the term sounds like it’s out of a spy movie, you’re not far off. This type of hacking is predominantly about stealing intellectual property and typically is associated with state-sponsored espionage. The motives go beyond financial gain. Experts may quibble about the specifics of this type of attack and whether it always has involved use of advanced techniques, but this is a serious and growing threat. It is not an understatement to say that what’s at risk is not only your intellectual property but possibly national security. The high-profile Stuxnet worm case demonstrates how specialized and sophisticated these attacks can be. The Stuxnet worm that was discovered in 2010 was designed to infiltrate industrial control systems, such as those that manage water or power plants. But it wasn’t an infrastructure system that was hit; hackers infiltrated and potentially sabotaged the Iranian systems that manage uranium. As the chilling details emerge, what’s noteworthy is that the attack was planned (and the worm developed and placed) as many as four years ahead of the incident.
This foresight echoes a trend we have seen in our work with companies such as defense contractors. When they announce plans to acquire another company, perpetrators go after the potential acquisition. Their hope is to embed malicious software on the systems of the acquisition target so that when the companies ultimately are integrated, hackers will have access to the parent company’s systems—even if it means biding time for 18 to 24 months or longer. And it’s not only specialized industries like defense that are at risk for advanced persistent threats. We have seen considerable activity in the financial services and technology industries. In some cases, the perpetrators infiltrate a bank or service provider in order to get access to the organization’s customers’ systems.
Finally, there’s one more type of threat that is on the rise: hacktivism. WikiLeaks immediately comes to mind, but, for the private sector, think of this as the digital equivalent to Occupy Wall Street. The goal of perpetrators is to change or create a public perception of your brand. For example, hackers might obtain sensitive information and disclose it to the public.
CYBER-SECURITY THE NEW BUSINESS PRIORITY
In today’s global, digital world, data rule. Safeguarding intellectual property, financial information, and your company’s reputation is a crucial part of business strategy. Yet with the number of threats and the sophistication of attacks increasing, it’s a formidable challenge.
Information security probably isn’t something that gets a lot of executive attention. It’s the CIO’s job or the responsibility of his lieutenants. Yet every so often when scanning the headlines, news about the latest high-profile cyberattacks elevates your blood pressure as you wonder: Could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders?But then it’s often back to the more pressing issues of the day, and the state of your company’s information security recedes to the background. You won’t likely give it another thought—until there’s an incident. Then it’s damage-control mode, as the company deals with stolen customer data, disclosure of confidential financial information, a disabled Web storefront, or worse.This reactive approach is all too common, even though the question is not if a company will suffer an incident but when. In the annual PwC, CIO, and CSO survey of more than 9,600 global executives, 41 percent of US respondents had experienced one or more security incidents during the past year.1 And that number is rising. Respondents reported financial losses, intellectual property theft, reputational damage, fraud, and legal exposure, among other effects.
Government leaders, at least, are taking notice: Lawmakers, the Securities and Exchange Commission (SEC), and the Administration have been highlighting increased security risks and the need for both the private and public sectors to step up their security game. In October 2011, the SEC issued guidance on the disclosure of cybersecurity risks and incidents.2 While the guidance didn’t propose new requirements, it reminded company leaders—and boards of directors—of their obligations under current rules. That same month, in the aftermath of disclosures by WikiLeaks, President Obama issued an Executive Order calling for measures to enhance national security in order to reduce the risk of a similar breach in the future.3 These developments follow ongoing efforts to move cybersecurity legislation through Congress and into law.
Cyber terrorism is the disruptive use of information technology by terrorist groups to further their ideological or political agenda. This takes the form of attacks on networks, computer systems, and telecommunication infrastructures. For example, in response to the removal of a Russian WWII memorial in 2007, Estonia was hit with a massive distributed denial of service (DDoS) attack that knocked almost all ministry networks and two major bank networks offline. The rise in such cyber terrorism attacks is measureable: in the U.S., head of Military Cyber Command Keith B. Alexander stated that cyber attacks on facilities classified as critical infrastructure in the United States have increased 17-fold since 2009.
CYBER SECURITY IN THE INFORMATION AGE
Why every industry needs cyber security to combat cyber villains.
In the age of all things digital, almost every single person has left a footprint on the World Wide Web. We post and share information at the touch of a button, without much thought about where that information may go. With so much data being transmitted on a daily basis, there are those who use the relative anonymity of the internet to maliciously steal valuable and private information. Because of these faceless criminals who lurk in the shadows of the cyber underworld, cyber security has never been more important than it is now.
CYBER SECURITY FOR ORGANISATIONS
An effective cyber security posture should be proportional to the risks faced by each organisation, and should be based on the results of a risk assessment.
Critical Issues – Cyber Security looks at the cyber security challenges facing business today and proposes a fully structured approach to achieving both cyber security and cyber resilience.
All organisations face one of two types of cyber attack:
- They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).
- The attack will be opportunistic, because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity, unless it has been specifically tested and secured, will have exploitable vulnerabilities.
Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Therefore, all organisations need to understand the cyber threats they face, and safeguard against them.