5 Principles for Cyber Security: Cyber Security Handbook

Oct 18, 2017 by infocon in  cyber security

 

With global market trends shifting towards complete digitization, the nature of corporate asset value has also been changing. Maximum companies now consist of either intellectual property (IP) or other intangibles. As with AI, digital disruption in finance sector brings with it the corresponding risk of digitizing corporate assets.

According to latest research, corporations across the world are losing billions of dollars every year from the loss of altered or destroyed financial consumer data, traded algorithms, etc. Adding regulatory and legal exposure, the risk only multiplies.

Cyber systems are becoming even more insecure with the explosion of networked connection of almost every physical asset from phone cameras to refrigerators, known widely as “Internet of Things”. On the other hand, hackers are improvising their tricks. Attacks are being launched against commercial entities for political or economic purposes.

Surprisingly, cyber attacks are cheaper and easily accessible, with even weaker law enforcements. Less than 2% of cybercriminals are prosecuted. The imbalance is worsened because corporate entities undermine cybersecurity.

Cloud computing is cost-efficient but the matter of security gets complicated. Hence, corporate organizations are urgently faced with the need of maintaining their enterprises without risking their security.

To cope with the above, many associations set guidelines for their clients to follow.

The National Association of Corporate Directors’ Cyber Security Handbook has identified five core principles for corporate boards to enhance their cyber-risk management:

1.Understand that cybersecurity is an enterprise-wide risk management issue. Thinking of cybersecurity as an IT issue to be addressed simply with technical solutions is an inherently flawed strategy. The single biggest vulnerability in cybersystems is people – insiders. Cybersecurity costs are managed most efficiently when integrated into core business decisions such as product launches, M&A and marketing strategies. Moreover, in an integrated world, organizations must take into account the risk created by their vendors, suppliers and customers as their weaknesses can be exploited to the detriment of the home system.

2.Directors need to understand the legal implications of cyber-risk. The legal situation with respect to cybersecurity is unsettled and quickly evolving. There is no one standard that applies, especially for organizations that do business in multiple jurisdictions. It is critical that organizations systematically track the evolving laws and regulations in their markets.

3.Boards need adequate access to cybersecurity expertise. Although cybersecurity issues are becoming as central to business decisions as legal and financial considerations, most boards lack the needed expertise to evaluate cyber-risk. Many boards are now recruiting cyber professionals for board seats to assist in analysing and judging staff reports. At a minimum, boards should regularly make adequate time for cybersecurity at board meetings as part of the audit or similar committee reports.

4.Directors need to set an expectation that management have an enterprise-wide cyber-risk management framework in place. At a base level, each organization ought to have an enterprise-wide cyber-risk team led by a senior official with cross-departmental authority that meets regularly, has a separate budget, creates an organization-wide plan and exercises it.

5.Based on the plan, management needs to have a method to assess the damage of a cyber-event. They need to identify which risks can be avoided, mitigated, accepted or transferred through insurance. This means they need to identify which data, and how much, the organization is willing to lose or have compromised. Risk mitigation budgets need to then be allocated appropriately between defending against basic and advanced risks.

Any organization must follow these principles to establish a sustainably secure cyber-risk management system.

 

 

 

 

Why ‘WannaCry’ must be a lesson for all

Oct 24, 2017

May 12, 2017 is one of the most dreadful days of the year for cyber experts and its stakeholders. About 150 countries across the globe suffered a cyber-attack, affecting 200,000 computers.

It was the infamous “WannaCry” ransomware in which hackers locked people out of their computers, demanding a ransom of $300 in bitcoins. Medical care became inaccessible and factories were shut down for more than 2 days to minimize loss of confidential and further damage.

Here goes a brief on one of the most dangerous ransomware attacks in the Cyber-verse:

What is “WannaCry”?

“WannaCry” appears to have utilized a flaw in Microsoft’s software, discovered by the National Security Agency, which was quickly leaked by hackers. The malicious code that relied on the victims opening a zip file emailed to them, spread rapidly across networks locking away files one by one. From then on, the programme used Microsoft’s flaw to thrive.

Microsoft had released a security update which addressed the vulnerability in the sixteen year old Windows XP operating system, in March 2017. This update was exploited by the hackers to trigger the massive ransomware attack.

 

 

Who got affected?

Several computer networks worldwide were affected, including Telefonica as well as other major organizations in Spain. The British National Health Service (NHS), too, was forced to cancel scheduled patients.

FedEx, Deutsche Bahn, the Russian Interior  Ministry and Russian telecom MegaFon were barred from normal operating services. According to Quartz the three bitcoin wallets used in the attack received just under 300 payments totalling a sum of 48.8635565 bitcoins, which is the equivalent of about $101,000.

 

What is a ransomware attack?

The term ‘ransomware’ appeared in 2005 in the US with the first notable biggest threats to security. While cyber experts maintain it to be 2005, the history of ransomware goes back to 1989.

 

PC CYBORG advisory from 1989. Screenshot via Security Focus

 

According to Becker’s Hospital Review, the earliest ransomware attack occurred in 1989, targeting the healthcare industry. Tracing the same, the healthcare industry still remains a top target for such attacks even after twenty eight years.

Ransomware is a cyber-attack wherein hackers gain control over a computer system and block access to it until the demanded ransom is paid. Hackers get control of systems by downloading a type of malicious software onto a device within the network. This is usually done by getting a victim to click on download link by mistake. The link is normally attached with an email, which once opened, encrypts the hard drive. Once the software gets into the victim’s computer, it enables the hackers to launch an attack that locks all files it can find within that network.

The recent ‘WannaCry’, also known as Wanna Decryptor is a ransomware programme that locks all the available data in the system leaving the user with only instructions on what to do next and the Wanna Decryptor programme itself.

When the software is opened, it tells the users that the files on their computer have been encrypted. It then gives them a few days to pay up, warning that their files will otherwise be deleted. It generally gives them instructions to pay in Bitcoin, providing the Bitcoin address for it to be sent to.

 

 

What is the way out?

Larger organizations should ideally follow the guidelines provided by concerned institutions:

  • Apply the latest Microsoft security patches for this particular flaw.
  • Ensure all outgoing and incoming emails are scanned for malicious attachments.
  • Ensure anti-virus programmes are up to date and conducting regular scans.
  • Backup all key data and information.
  • Organize education programmes on malware so employees can identify scams, malicious links or emails that may contain hazardous viruses.
  • Run “penetration tests” against your network’s security at least once a year.

Many experts even suggested restoring all files from a backup. If that isn’t possible, there are tools that can decrypt and recover some information.

A brief on India’s Cyber Security Status

Oct 17, 2017

The biggest story of 2016 is undoubtedly the alarming rise of cyber crime. A look at global IT industries explains that we’re facing a lack of efficient professionals. According to the Cyber Security Ventures ‘Cyber Security Jobs Report’, there were 1 million cyber security job openings in 2016. The number is expected to grow to 1.5 million by 2019.

Against the backdrop, the scenario of India’s cyber security industry is no exception. A quick glance at one of the most notable security breaches in the country shows:

1)   Cyber criminals breached the country’s largest government site – the Indian Railways Catering and Tourism Corporation (IRCTC) website, stealing around 10 million records from the server of the e-ticketing portal.

2)    A cyber criminal by the name ‘Faisal’ allegedly breached the website of Canara Bank, defacing it by inserting a malicious page and blocking some of its payment services.

3)    Fraudsters broke into the email account of Binny Bansal, CEO of Flipkart, sending two emails to the Chief Financial Officer (CFO) demanding a sum of $80,000.

Further look at similar incidents show that majority of these attacks happened in the e-commerce and banking sectors. The reason for this is found to be a high value of personally identifiable information )PII) in these industries.

According to ‘M-Trends 2016, Asia-Pacific Edition’ by Mandiant Consulting, Indian organizations are more susceptible to data breaches. Poor investments in high-end security solutions are to blame, as experts say. This must sound caution to smaller and bigger organizations both.

In the wake of this, the Indian government has started to invest money in recruiting cyber security experts. Partnerships with top international security firms have also been registered. The recent Memorandum of Understanding (MoU) between the national cyber security agencies of India and the U.K. is a step in the direction. The exchange of technical information on cyber attacks, security incidents and solutions will benefit both countries in fighting cyber crime together.

what is cyber security, what is cyber security audit, types of cyber security, improtance of cyber sicurity, types of cyber security threats

What is cyber security? How to build a cyber security strategy

Dec 28, 2017

Organizations face many threats to their information systems and data. Understanding all the basic elements to cyber security is the first step to meeting those threats.

Cyber security is the practice of ensuring the integrity, confidentiality and availability (ICA) of information. It represents the ability to defend against and recover from accidents like hard drive failures or power outages, and from attacks by adversaries. The latter includes everyone from script kiddies to hackers and criminal groups capable of executing advanced persistent threats (APTs), and they pose serious threats to the enterprise. Business continuity and disaster recovery planning are every bit as critical to cyber security as application and network security.

Security should be top of mind across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cyber security controls. Management should see that all systems are built to certain security standards and that employees are properly trained. All code, for example, has bugs, and some of those bugs are security flaws. Developers are only human, after all.

Security training

The human is always the weakest element in any cyber security program. Training developers to code securely, training operations staff to prioritize a strong security posture, training end users to spot phishing emails and social engineering attacks — cyber security begins with awareness.

All companies will experience some kind of cyber attack, even if strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable by performing basic security tasks, sometimes referred to as “cyber hygiene.” A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cyber security care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible.

A good cyber security strategy needs to go beyond these basics, though. Sophisticated hackers can circumvent most defenses, and the attack surface — the number of ways or “vectors” an attacker can gain entry to a system — is expanding for most companies. For example, the information and the physical world are merging, and criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, medical devices, even your IoT fridge. Similarly, the trends toward cloud computing, bring your own device (BYOD) policies in the workplace, and the burgeoning internet of things (IoT) create new challenges. Defending these systems has never been more important.

Further complicating cyber security is the regulatory climate around consumer privacy. Compliance with stringent regulatory frameworks like the European Union’s General Data Protection Regulation (GDPR) also demands new kinds of roles to ensure that organizations meet the privacy and security mandates of the GDPR and other regulations.

As a result, growing demand for cyber security professionals has hiring managers struggling to fill positions with qualified candidates. That struggle requires organizations to have a sharp focus on areas of greatest risk.

Types of cyber security

The scope of cyber security is broad. The core areas are described below, and any good cyber security strategy should take them all into account.

Critical infrastructure

Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyber attacks. The solution for organizations responsible for critical infrastructure is to perform due diligence to protect understand the vulnerabilities and protect against them. Everyone else should evaluate how an attack on critical infrastructure they depend on might affect them and then develop a contingency plan.

Network security

Network security guards against unauthorized intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity.

Tools used to monitor network security generate a lot of data — so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learning to flag abnormal traffic and alert to threats in real time.

Cloud security

The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains: Moving to the cloud is not a panacea for performing due diligence when it comes to cyber security.

Application security

Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organizations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing and penetration testing.

Rapid application development and deployment to the cloud has seen the advent of DevOps as a new discipline. DevOps teams typically prioritize business needs over security, a focus that will likely change given the proliferation of threats.

Internet of things (IoT) security

IoT refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers and security cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society.

Types of cyber security threats

Common cyber threats fall under three general categories:

Attacks on confidentiality: Stealing, or rather copying, a target’s personal information is how many cyber attacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation-state spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain.

Attacks on integrity: Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.

Attacks on availability: Preventing a target from accessing their data is most frequently seen today in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target’s data and demands a ransom to decrypt it. A denial-of-service attack, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable.

The following describes the means by which these attacks are carried out.

Social engineering

Attackers aren’t going to hack a computer if they can hack a human instead. Socially engineered malware, often used to deliver ransomware, is the No. 1 method of attack (not a buffer overflow, misconfiguration, or advanced exploit). An end-user is tricked into running a Trojan horse program, often from a website they trust and visit often. Ongoing user education is the best countermeasure against this attack.

Phishing attacks

Sometimes the best way to steal someone’s password is to trick them into revealing it This accounts for the spectacular success of phishing. Even smart users, well-trained in security, can fall for a phishing attack. That’s why the best defense is two-factor authentication (2FA) — a stolen password is worthless to an attacker without a second factor, such as hardware security token, or soft token authenticator app on the user’s phone.

Unpatched software

It’s hard to blame your enterprise if an attacker deploys a zero-day exploit against you, but failure to patch looks a lot like failure to perform due diligence. If months and years pass after disclosure of a vulnerability, and your enterprise has not applied that security patch, you open yourself to accusations of negligence. Patch, patch, patch.

Social media threats

Catfishing isn’t just for the dating scene. Believable sock puppet accounts can worm their way through your LinkedIn network. If someone who knows 100 of your professional contacts strikes up a conversation about your work, are you going to think it strange? Loose lips sink ships. Expect social media espionage, of both the industrial and nation-state variety.

Advanced persistent threats

Speaking of nation-state adversaries, your enterprise has them. Don’t be surprised if multiple APTs are playing hide-and-go-seek on your corporate network. If you’re doing anything remotely interesting to someone, anywhere, you need to consider your security posture against sophisticated APTs. Nowhere is this more true than in the technology space, an industry rich with valuable intellectual property many criminals and nations will not scruple to steal.

Cybersecurity careers

Executing a strong cyber security strategy requires you have the right people in place. The demand for professional cyber security folk has never been higher, from the C-suite down to the security engineers working on the front lines. Security leaders have elbowed their way into the C-suite and boardrooms, as protecting company data becomes mission critical for organizations. A chief security officer (CSO) or chief information security officer (CISO) is now a core management position that any serious organization must have.

Roles have also grown more specialized. The days of the generalist security analyst are fading fast. Today a penetration tester might focus on application security, or network security, or phishing users to test security awareness. Incident response may see you on call 24/7. The following roles are the foundation of any security team.

CISO/CSO

The CISO is a C-level management executive who oversees the operations of an organization’s IT security department and related staff. The CISO directs and manages strategy, operations, and the budget to protect an organization’s information assets.

Security analyst

Also referred to as cyber security analyst, data security analyst, information systems security analyst, or IT security analyst, this role typically has these responsibilities:

  • Plan, implement and upgrade security measures and controls
  • Protect digital files and information systems against unauthorized access, modification or destruction
  • Maintain data and monitor security access
  • Conduct internal and external security audits
  • Manage network, intrusion detection and prevention systems
  • Analyze security breaches to determine their root cause
  • Define, implement and maintain corporate security policies
  • Coordinate security plans with outside vendors

Security architect

A good information security architect straddles the business and technical worlds. While the role can vary in the details by industry, is that of a senior-level employee responsible to plan, analyze, design, configure, test, implement, maintain, and support an organization’s computer and network security infrastructure. This requires knowing the business with a comprehensive awareness of its technology and information needs.

Security engineer

The security engineer is on the front line of protecting a company’s assets from threats. The job requires strong technical, organizational and communication skills. IT security engineer is a relatively new job title. Its focus is on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.

2 Comments

Jack

Ok,? Lee mentipned ɑfter which he stopped and tһought.
?The best factor abߋut G᧐d is ??? hmmmm?????..? He puzzlеd as a result of he һɑd sо many
things that hadd bee nice about Godd buut he wanted to choose thhe most effective ⲟne so he woulɗ win tthe game.
?That he knows evеrything. That?s actually cool.
Thatt meаns he will help me with mу hߋmeѡork.? Larry cncluded with a proud expression on his face.

Leave a Comment

Your email address will not be published. Required fields are marked *

Comment *