While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organizations of all sizes, these new technologies have also brought unprecedented threats with them. Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses. Cyber security will only become more important as more devices, ‘the internet of things’, become connected to the internet.
Introduction to cyber risks
Cyber risks can be divided into three distinct areas:
Conducted by individuals working alone, or in organized groups, intent on extracting money, data or causing disruption, cyber crime can take many forms, including the acquisition of credit/debit card data and intellectual property, and impairing the operations of a website or service.
A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of Advanced Persistent Threats (APTs).
An organization, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.
Organizations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure, and very high-profile institutions. It is unlikely that most organizations will face the threat of cyber war or cyber terror.
Types of malware
Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous means of attack available, which broadly fall under the umbrella term of malware (malicious software). These include:
Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.
Technique: A small piece of software program that can replicate itself and spread from one computer to another by attaching itself to another computer file.
Aim: By exploiting weaknesses in operating systems, worms seek to damage networks and often deliver payloads which allow remote control of the infected computer.
Technique: Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.
Aim: To take control of your computer and/or to collect personal information without your knowledge.
Technique: By opening attachments, clicking links or downloading infected software, spyware/adware is installed on your computer.
Aim: To create a ‘backdoor’ on your computer by which information can be stolen and damage caused.
Technique: A software program appears to perform one function (for example, virus removal) but actually acts as something else.
There are also a number of attack vectors available to cyber criminals which allow them to infect computers with malware or to harvest stolen data:
An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites. See ‘social engineering’ below.
An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised. See ‘social engineering’ below.
Opportunistic attacks against specific weaknesses within a system.
‘Man in the middle attack’ where a middleman impersonates each endpoint and is thus able to manipulate both victims.
Exploiting the weakness of the individual by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.
Cyber security for organizations
An effective cyber security posture should be proportional to the risks faced by each organisation, and should be based on the results of a risk assessment.
Critical Issues – Cyber Security looks at the cyber security challenges facing business today and proposes a fully structured approach to achieving both cyber security and cyber resilience.
All organizations face one of two types of cyber attack:
They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).
The attack will be opportunistic, because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity, unless it has been specifically tested and secured, will have exploitable vulnerabilities.
Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Therefore, all organisations need to understand the cyber threats they face, and safeguard against them.
ISO 27001 and cyber security
As well as protecting your critical assets, customer details and your operating systems, effective cyber security can also help organizations win new business by providing assurances of their commitment to cyber security to their supply chain partners, stakeholders and customers.
In order to achieve real cyber security, today’s organizations have to recognize that expensive software alone is not enough to protect them from cyber threats. The three fundamental domains of effective cyber security are: people, process and technology.
ISO 27001 is the internationally recognized best-practice Standard for information security management. It forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO 27001 in order to deliver their specific added value. Implementing ISO27001 will help you protect your information assets in cyber space, comply with your regulatory obligations and thrive by assuring your customers and stakeholders that you are cyber secure.