As threats in the cyber world continue to grow, so does our need to protect ourselves from these threats. When discussing ways to virtually protect ourselves from these threats, the term cyber security often gets brought up. But what is cyber security?<\/p>\n
There’s a short answer, a long answer, and a one word answer.\u00a0Cyber security is an umbrella term for the suite of behaviors, controls, and technologies that make up an organization\u2019s response to the risk of a cyberattack<\/a>. That’s the short answer.<\/p>\n A three-legged stool is useless if it is missing a leg. Robust cyber security sits on three legs too. Just like the stool, all three legs must be in place for it to be effective.<\/p>\n I\u2019ve spoken to many senior executives who think they\u2019re not at risk because \u201cthere are bigger and better targets out there, so why would they bother coming after us?\u201d While it\u2019s true some companies are singled out as targets, they\u2019re a drop in the cybercrime ocean. In actual fact, most victims are not selected in advance. Counter-intuitively, they volunteer<\/em> themselves as targets because of a lack of good security practice.<\/p>\n Cybercriminals<\/a> have a staggering choice of automated software tools at their disposal. One simple example is port scanning software. This software works its way through an IP range looking for open firewall ports. Every open port it finds is probed and default and commonly used passwords are tried. If the attack software gains entry it either reports back to the cybercriminals or it installs some malicious software (malware) which in turn makes contact with the cybercrime gang\u2019s remote control and command server. You\u2019ve just nominated yourself as a victim.<\/p>\n In the physical world, some criminals rob banks or casinos. Others run along streets and snatch handbags. Plainly, these are not crimes performed by the same people. There are different categories of criminal and so it is with cybercrime, where the bad guys are called \u201cthreat actors.\u201d<\/p>\n Depressingly, many cybercrime tools are freely available on the internet or can be purchased cheaply on the Dark Web. If you can follow simple instructions, you can use it. At one time the scale of the cyber threat was predicated on how many people had the requisite IT skills and criminal will. That\u2019s no longer the case. I\u2019ve seen cases where the perpetrators have been disgruntled customers, employees, or ex-employees. Not particularly tech-savvy, but they could use a search engine. They downloaded distributed denial of service attack<\/a> software, pointed it at the victim\u2019s website, and pulled the trigger.<\/p>\n These threat actors are the equivalent of the handbag snatchers. They\u2019re a danger, but they\u2019re not the predominant threat. And at the other end of the scale, the elite teams that target high profile targets are not a significant threat to the average corporation or small or medium enterprise.<\/p>\n What you are most at risk from is malicious software called malware<\/a>. It is designed to hit as many targets as possible—indiscriminately. It doesn\u2019t care who you are, what sphere of business your organization is in, nor what size of enterprise you happen to be. Typically, malware infects a network with ransomware. Ransomware encrypts your data<\/a> and requires a ransom payment in digital currency to decrypt it.<\/p>\n Malware is produced by many threat actors including organized crime, hacking collectives, and even state sponsored offensive cyber teams known as Advanced Persistent Threats (APTs)<\/a>.<\/p>\n There are two principle ways to infect your network. One is to breach your defenses and release the malware. The other—much simpler—method is to email it to you. To threat actors, email is nothing more than a handy transport mechanism perfect for delivering threats right inside your organization. Attacks by email are usually untargeted and indiscriminate too. Enormous databases of email addresses can be obtained on the Dark Web.<\/p>\n Malign emails either carry a malicious payload in a bogus attachment or they encourage the recipient to click a link in the body of the email. These \u201cphishing emails<\/a>\u201d take victims to a bogus website masquerading as a legitimate website. The emails are carefully worded to foster a sense of urgency. They try to spur the victim into immediate action such as \u201cvalidating their credentials\u201d to prevent an account from being closed. The fraudulent website might infect them—and your network—or it might harvest their username and password. And if they\u2019ve used the same username and password on other, more valuable, websites, the criminals now have access to those other sites.<\/p>\n The people receiving these emails are your staff. They\u2019re directly on the front line for email-based threats. Your personnel are your organic<\/em> defenses.<\/p>\n Your technological defenses will include everything from your firewalls to your end-point antivirus and antimalware protection. Techniques such as encrypting email communication and mobile devices like laptops fall into this category. Anti-spam,\u00a0email filtering and quarantining software will reduce the chances of threat delivery by email. You may decide to deploy threat monitoring software or intrusion detection systems, if applicable. The secure destruction of old equipment with certified data destruction prevents data egress by way of your equipment refresh cycles.<\/p>\n Many of these are “add-ons” to your actual IT infrastructure. What about your infrastructure itself? Is your network segregated and segmented, or completely flat? If malware does get in will its replication and spread be contained or can it race like wildfire from one end of your network to the other? The operating systems on all of your servers, virtual machines, desktops, and laptops must be current and within the manufacturer’s maintenance and update life-cycle. Security patches and service patches must be available and applied in a timely fashion when they are released.<\/p>\n The same stipulation applies to your software applications and line of business packages. They must be supported versions and patched up to date. Likewise, the firmware in hardware network devices must be patched, current, and supported. Are password policies enforced by group policy? Is access to Universal Serial Bus (USB) devices restricted and controlled, or turned off altogether? Do you make backups to different media and are they encrypted? Are some of them stored off-site?<\/p>\n Penetration testing is a service provided by security companies. It probes your outer defenses and reports on weak spots and vulnerabilities and tells you whether your technological defenses are sound, or full of holes. You\u2019ll be told what needs to be reconfigured, upgraded, patched, or retired. Because new vulnerabilities are identified all the time, penetration testing should be scheduled to be repeated at a minimum of twice a year.<\/p>\n A vulnerability scan<\/a> is a similar operation conducted inside your network. It scans network devices, servers, workstations, and other network end-points and reports on out-of-date and unsupported software or operating systems, as well as other weaknesses.<\/p>\n IT governance<\/a> is the set of policies and procedures that ensure staff are informed about, and conform to, best business practice regarding their use of your IT systems. Some of the procedures will apply to technical staff, some of them will be company-wide documents. Everything in your technology-based defenses will eventually become exposed and vulnerable if it is not maintained, patched, and configured correctly. Good governance will ensure critical maintenance activities are performed regularly, and that their effectiveness is tested.<\/p>\n Some initial questions to ask are:<\/p>\n Your staff are a vital component in the security of your systems and the safety of your data. We\u2019ll take a look at phishing emails in another article. But suffice to say that the old school of badly-worded emails with a ridiculous premise are over. Modern phishing emails are slick, convincing, and compelling.<\/p>\n Is it fair to expect your staff to recognize threats that arrive by email without any tuition? Their diligence and appreciation of the dangers are protecting your business. It only makes sense to ensure they\u2019re well equipped to keep your systems as safe as they can be.<\/p>\n They must be educated, but they must also be empowered to act. They cannot be criticized for double-checking that the email from the CEO asking for a bank transfer is really from the CEO. They should be applauded and encouraged to have a healthy degree of caution. Rampant paranoia doesn\u2019t serve anyone well, but informed attentiveness will work wonders.<\/p>\n People don\u2019t like change, and they don\u2019t like red-tape. Push-back against changes that improve cyber security are known as cyber friction<\/em>. The introduction of policies must be done in a way that gives staff a clear understanding that by increasing security you’re protecting them as well as your business. Instead of push-back, you need buy-in. Buy-in always trumps cyber friction.<\/p>\n Technological defenses are only useful as long as they are sanctioned, budgeted for, purchased, fitted, configured, and maintained correctly. IT governance is only useful if policies and procedures are developed, written, implemented, and willingly adopted.<\/p>\n So, ultimately, it all hinges on your staff, their management, and the administration of the organization.<\/p>\n Or, in one word, people.<\/p>\n","protected":false},"excerpt":{"rendered":" As threats in the cyber world continue to grow, so does our need to protect ourselves from these threats. When discussing ways to virtually protect ourselves from these threats, the term cyber security often gets brought up. But what is cyber security? What is Cyber Security? Everyone is a Target Threat Actors Malware Defenses: Technology […]<\/p>\n","protected":false},"author":10,"featured_media":709,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"yoast_head":"\n\n
<\/a>Everyone is a Target<\/h2>\n
<\/a>Threat Actors<\/h2>\n
<\/a>Malware<\/h2>\n
<\/a>Defenses: Technology<\/h2>\n
<\/a>Defenses: IT Governance<\/h2>\n
\n
<\/a>Defenses: Staff Awareness Training<\/h2>\n