Malicious code/software (malware) is any software that gives partial to full control of your computer to do whatever the malware creator wants. Malware can be a virus, worm, trojan, adware, spyware, root kit, etc. It is very common for people to use the word “virus”. However, it’s just one of many types of malware.
The impact of malware can be very different. It includes using your computer (without your knowledge) to conduct attacks or spread spam/viruses to formatting your hard drive. Additionally it can build on your computer (without your knowledge) a platform for the next attack and encrypt your files. It can also ask for a ransom to be paid (Ransomware is another type of malware).
Malware mitigation controls generally include Anti-Virus, Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), firewalls, hardware and software for detecting Advanced Persistent Threats. However, as we know “a chain is only as strong as its weakest link” and the weakest link is not surprisingly humans. Therefore, security awareness training remains one of the most important controls.
Although most people have heard of the term hacking many do not have a comprehensive knowledge of what is involved in this and what risks there can be to an organisation. A computer hacker is somebody skilled at manipulating computers. Generally, the term hacker is used to refer to a person who breaks into computer systems. Hackers may do this for material gain, to harm another person or as a prank. A hacker may also have more positive motivations — some hackers aim to expose security flaws before other, less scrupulous people can exploit them. While hacking is often thought of a computer expert sitting in front of a computer, hackers can also utilise social situations where an individual may inadvertently disclose personal information which then can used to break down passwords etc.
In addition where hacking occurs there are often cases where employees have valid access to information but can use this access for inappropriate uses. For an example an employee could access an organisations proprietary information for personal use or could pass that information on to third parties for personal gain. This can be detected by monitoring the transfer of large amounts of sensitive information from the organization and how this was done. In addition monitoring the timing of the use of computers can be done i.e. why is a person regularly accessing an organizations information at 10pm when he/she finishes work at 5pm.
When a network or systems gets compromised by hacking, we typically look for several controls:
• Preventative Controls: Intrusion Detection Systems, Anti-Viruses, Fire-Walls, Web Filtering Services; however these controls are good only for “known” threats, when vendors have developed signatures for them;
• Detective Controls: Advanced Persistent Threats are one of the most sophisticated and dangerous threats; only behavioural-like detection systems can detect and identify them;
• Security Awareness: despite all advanced technologies humans are the weakest point. “Security is only as good as your weakest point” – this statement relates to hackers but also applies to all areas of IT security.
Also there are many cases, when hackers are able to gather some minor but key information about employees by wearing “service” or “janitor” work robes, come to the offices and steal all sorts of assets (from documents to laptops). This can be prevented by building security, automatic logging off, passwords etc.
Additionally, the SANS Institute (a cooperative research and education organization) promotes the idea of laired security. This promote: a) company personal have good security awareness; b) company employees adhere to all types of security controls, from physical security (an employee must have an access card in order to enter to floor) to finishing administrative access controls (an employee must complete yearly security awareness training and sign the company compliance policy).
Online identity theft
Identity theft is a deliberate use of somebody else’s identity for impersonating someone else. The purpose of identity theft can be to facilitate financial gain (obtaining credit details etc.) and obtaining medical information (medical care or drugs), as well as terrorism and espionage (obtaining unauthorised information).
Mitigation controls for identity theft include security awareness, fraud detection and prevention software, strong authentication etc. However, conducting an Information Risk Assessment, which includes a Privacy Impact Assessment, is one of the key controls for managing risks associated with identity theft.
General Computer Controls
While the vast majority of organisations will have processes and controls in place to authorise its employees to have access to their systems and to ensure that inappropriate access is avoided including conflicts, these processes and controls need to be monitored on a periodic basis to ensure that they are still operational and effective.
Tip of the Iceberg
This article has described briefly some of the main cyber-security threats but there are many more that security conscious organisations should be aware of and have preventative or detective controls in place. Do not incur expensive security breaches – continuously monitor the position. There is no unique/universal model for protecting organization’s/company’s assets – there is no “ideal” security model. All companies and organizations are different: starting from the nature of the business and finishing with the culture and company’s style. This is why it is very important to engage security professionals, so they can assess, audit and develop the security controls, which are most applicable to your organization. PFC can assist with all aspects of IT Security.