What is Cyber Security? Definition, Threats, and Defenses

city shaped like an eye representing cyber security
Tim de Groot/Unsplash

As threats in the cyber world continue to grow, so does our need to protect ourselves from these threats. When discussing ways to virtually protect ourselves from these threats, the term cyber security often gets brought up. But what is cyber security?

What is Cyber Security?

There’s a short answer, a long answer, and a one word answer. Cyber security is an umbrella term for the suite of behaviors, controls, and technologies that make up an organization’s response to the risk of a cyberattack. That’s the short answer.

A three-legged stool is useless if it is missing a leg. Robust cyber security sits on three legs too. Just like the stool, all three legs must be in place for it to be effective.

  • Technology obviously plays its part. So hardware and software form the first leg.
  • Your IT governance must cement the adoption of best practices in your organization. That means policies, procedures and, optionally, certification to standards. That’s leg number two.
  • Staff education and training is the third leg. Your personnel must be aware of the types of threats you face and how to recognize them. They must relinquish behaviors that put your business at risk. It’s vital they understand, follow, and appreciate the value and benefits of your IT governance policies. Understanding is one thing, being empowered to act is another altogether. But achieve that and you’ll have their buy-in to the security-minded culture your organization must foster.

Everyone is a Target

I’ve spoken to many senior executives who think they’re not at risk because “there are bigger and better targets out there, so why would they bother coming after us?” While it’s true some companies are singled out as targets, they’re a drop in the cybercrime ocean. In actual fact, most victims are not selected in advance. Counter-intuitively, they volunteer themselves as targets because of a lack of good security practice.

Cybercriminals have a staggering choice of automated software tools at their disposal. One simple example is port scanning software. This software works its way through an IP range looking for open firewall ports. Every open port it finds is probed and default and commonly used passwords are tried. If the attack software gains entry it either reports back to the cybercriminals or it installs some malicious software (malware) which in turn makes contact with the cybercrime gang’s remote control and command server. You’ve just nominated yourself as a victim.

Threat Actors

In the physical world, some criminals rob banks or casinos. Others run along streets and snatch handbags. Plainly, these are not crimes performed by the same people. There are different categories of criminal and so it is with cybercrime, where the bad guys are called “threat actors.”

Depressingly, many cybercrime tools are freely available on the internet or can be purchased cheaply on the Dark Web. If you can follow simple instructions, you can use it. At one time the scale of the cyber threat was predicated on how many people had the requisite IT skills and criminal will. That’s no longer the case. I’ve seen cases where the perpetrators have been disgruntled customers, employees, or ex-employees. Not particularly tech-savvy, but they could use a search engine. They downloaded distributed denial of service attack software, pointed it at the victim’s website, and pulled the trigger.

These threat actors are the equivalent of the handbag snatchers. They’re a danger, but they’re not the predominant threat. And at the other end of the scale, the elite teams that target high profile targets are not a significant threat to the average corporation or small or medium enterprise.

Malware

What you are most at risk from is malicious software called malware. It is designed to hit as many targets as possible—indiscriminately. It doesn’t care who you are, what sphere of business your organization is in, nor what size of enterprise you happen to be. Typically, malware infects a network with ransomware. Ransomware encrypts your data and requires a ransom payment in digital currency to decrypt it.

Malware is produced by many threat actors including organized crime, hacking collectives, and even state sponsored offensive cyber teams known as Advanced Persistent Threats (APTs).

There are two principle ways to infect your network. One is to breach your defenses and release the malware. The other—much simpler—method is to email it to you. To threat actors, email is nothing more than a handy transport mechanism perfect for delivering threats right inside your organization. Attacks by email are usually untargeted and indiscriminate too. Enormous databases of email addresses can be obtained on the Dark Web.

Malign emails either carry a malicious payload in a bogus attachment or they encourage the recipient to click a link in the body of the email. These “phishing emails” take victims to a bogus website masquerading as a legitimate website. The emails are carefully worded to foster a sense of urgency. They try to spur the victim into immediate action such as “validating their credentials” to prevent an account from being closed. The fraudulent website might infect them—and your network—or it might harvest their username and password. And if they’ve used the same username and password on other, more valuable, websites, the criminals now have access to those other sites.

The people receiving these emails are your staff. They’re directly on the front line for email-based threats. Your personnel are your organic defenses.

Defenses: Technology

Your technological defenses will include everything from your firewalls to your end-point antivirus and antimalware protection. Techniques such as encrypting email communication and mobile devices like laptops fall into this category. Anti-spam, email filtering and quarantining software will reduce the chances of threat delivery by email. You may decide to deploy threat monitoring software or intrusion detection systems, if applicable. The secure destruction of old equipment with certified data destruction prevents data egress by way of your equipment refresh cycles.

Many of these are “add-ons” to your actual IT infrastructure. What about your infrastructure itself? Is your network segregated and segmented, or completely flat? If malware does get in will its replication and spread be contained or can it race like wildfire from one end of your network to the other? The operating systems on all of your servers, virtual machines, desktops, and laptops must be current and within the manufacturer’s maintenance and update life-cycle. Security patches and service patches must be available and applied in a timely fashion when they are released.

The same stipulation applies to your software applications and line of business packages. They must be supported versions and patched up to date. Likewise, the firmware in hardware network devices must be patched, current, and supported. Are password policies enforced by group policy? Is access to Universal Serial Bus (USB) devices restricted and controlled, or turned off altogether? Do you make backups to different media and are they encrypted? Are some of them stored off-site?

Penetration testing is a service provided by security companies. It probes your outer defenses and reports on weak spots and vulnerabilities and tells you whether your technological defenses are sound, or full of holes. You’ll be told what needs to be reconfigured, upgraded, patched, or retired. Because new vulnerabilities are identified all the time, penetration testing should be scheduled to be repeated at a minimum of twice a year.

A vulnerability scan is a similar operation conducted inside your network. It scans network devices, servers, workstations, and other network end-points and reports on out-of-date and unsupported software or operating systems, as well as other weaknesses.

Defenses: IT Governance

IT governance is the set of policies and procedures that ensure staff are informed about, and conform to, best business practice regarding their use of your IT systems. Some of the procedures will apply to technical staff, some of them will be company-wide documents. Everything in your technology-based defenses will eventually become exposed and vulnerable if it is not maintained, patched, and configured correctly. Good governance will ensure critical maintenance activities are performed regularly, and that their effectiveness is tested.

Some initial questions to ask are:

  • Do you have a documented IT security policy?
  • Do you have an incident plan and has it been rehearsed?
  • When did you last have penetration testing performed?
  • Is two-factor authentication available on your systems so that passwords alone are insufficient to gain access?
  • Do you have a disaster recovery plan and has it been tested?
  • Do you have an Acceptable Use Policy that clearly lists activities that staff are prohibited from conducting using your IT equipment, and is it explained to them during their induction?
  • Does a Password Policy provide guidance on selecting unique, robust passwords and controlling their use to single systems?
  • Remember, if it isn’t written down it isn’t a procedure. It’s tribal knowledge. No one can be held accountable for not knowing tribal knowledge.

Defenses: Staff Awareness Training

Your staff are a vital component in the security of your systems and the safety of your data. We’ll take a look at phishing emails in another article. But suffice to say that the old school of badly-worded emails with a ridiculous premise are over. Modern phishing emails are slick, convincing, and compelling.

Is it fair to expect your staff to recognize threats that arrive by email without any tuition? Their diligence and appreciation of the dangers are protecting your business. It only makes sense to ensure they’re well equipped to keep your systems as safe as they can be.

They must be educated, but they must also be empowered to act. They cannot be criticized for double-checking that the email from the CEO asking for a bank transfer is really from the CEO. They should be applauded and encouraged to have a healthy degree of caution. Rampant paranoia doesn’t serve anyone well, but informed attentiveness will work wonders.

People don’t like change, and they don’t like red-tape. Push-back against changes that improve cyber security are known as cyber friction. The introduction of policies must be done in a way that gives staff a clear understanding that by increasing security you’re protecting them as well as your business. Instead of push-back, you need buy-in. Buy-in always trumps cyber friction.

Technological defenses are only useful as long as they are sanctioned, budgeted for, purchased, fitted, configured, and maintained correctly. IT governance is only useful if policies and procedures are developed, written, implemented, and willingly adopted.

So, ultimately, it all hinges on your staff, their management, and the administration of the organization.

Or, in one word, people.