Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses. Cyber security will only become more important as more devices are connected to the Internet.
While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organisations of all sizes, these new technologies have also brought unprecedented threats.
Cyber security for organisations
An effective cyber security posture should be proportional to the risks faced by each organisation, and should be based on the results of a risk assessment.
All organisations face two types of cyber attack:
They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).
They will be attacked by opportunists because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity will have exploitable vulnerabilities unless it has been specifically tested and secured.
Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Therefore, all organisations need to understand the cyber threats they face, and safeguard against them.
For more information on cyber security, we recommend downloading our free green paper Cyber Security – A critical business issue.
Cyber security frameworks
Organisations can use a number of frameworks to reduce the cyber threat. Two popular frameworks used in the UK are ISO 27001 and Cyber Essentials:
ISO 27001 and cyber security
As well as protecting their critical assets, customer details and operating systems, effective cyber security can help organisations win new business by providing assurances of their cyber security commitment to their supply chain, partners, stakeholders and customers.
In order to achieve real cyber security, today’s organisations have to recognise that software alone is not enough to protect them from cyber threats. The three fundamental domains of effective cyber security are people, processes and technology.
ISO 27001 is the internationally recognised best-practice standard for information security management. It forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO 27001 in order to deliver their specific added value. Implementing ISO 27001 will help you protect your information assets in cyberspace, comply with your regulatory obligations, and thrive by assuring your customers and stakeholders that you are cyber secure.
The Cyber Essentials scheme was developed by the UK government to help businesses deal with the business-critical issues of cyber security and cyber resilience. The scheme provides a set of controls that organisations can implement to achieve a basic level of cyber security.
Types of cyber risks
Cyber risks can be divided into three distinct types:
Conducted by individuals working alone or in organised groups. Cyber criminals are intent on extracting money, data or causing disruption. Cyber crime can take many forms, including the acquisition of credit/debit card data and intellectual property, and impairing the operations of a website or service.
A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of advanced persistent threats (APTs).
An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.
Organisations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure, and very high-profile institutions. It is unlikely that most organisations will face the threat of cyber war or cyber terror.
How cyber criminals work
Cyberspace is unregulated and it is increasingly simple and inexpensive to commit cyber crime; criminals can even buy off-the-shelf hacking software, complete with support services.
Congruent with the rapid pace of technological change, the world of cyber crime never stops innovating. Every month, Microsoft publishes a bulletin of the vulnerabilities of its systems, an ever-growing list of known threats, bugs and viruses. For a more complete overview of cyber security threats, mailing lists such as Bugtraq can provide up-to-date resources listing all new bugs.
Types of malware
Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous types of attack that broadly fall under the umbrella term ‘malware’ (malicious software). These include:
Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.
Technique: A virus is a small piece of code that can replicate itself and spread from one computer to another by attaching itself to another computer file.
Aim: Exploit weaknesses in operating systems to damage networks and deliver payloads that allow remote control of the infected computer.
Technique: Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.
Aim: Take control of your computer and/or collect personal information without your knowledge.
Technique: Spyware/adware can be installed on your computer when you open attachments, click on links or download infected software.
Aim: Create a ‘backdoor’ on your computer by which information can be stolen and damage caused.
Technique: A Trojan virus is a program that appears to perform one function (for example, virus removal) but actually performs malicious activity when executed.
There are also a number of attack vectors available to cyber criminals that allow them to infect computers with malware or harvest stolen data:
Phishing – An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites. See ‘social engineering’ below.
Pharming – An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised. See ‘social engineering’ below.
Drive-by – Opportunistic attacks against specific weaknesses within a system.
Man in the middle (MITM) – An attack where a middleman impersonates each endpoint and is able to manipulate both victims.
Social engineering – An exploitation of an individual’s weakness, achieved by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.