Importance of Information Security..
Security: We must protect our computers and data in the same way that we secure the doors to our homes.
Safety: We must behave in ways that protect us against risks and threats that come with technology.
The Biggest Cyber security Threats Are Inside Your Company
When security breaches make headlines, they tend to be about nefarious actors in another country or the catastrophic failure of technology. These kinds of stories are exciting to read and easier for the hacked company to admit to. But the reality is that no matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside the company.
The role that insiders play in the vulnerability of all sizes of corporations is massive and growing. IBM found that 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors. IBM Security research also found that health care, manufacturing, and financial services are the top three industries under attack, due to their personal data, intellectual property and physical inventory, and massive financial assets, respectively. However, while industries and sectors differ substantially in the value and volume of their assets and in the technology infrastructures they have to manage and defend, what all businesses have in common is people — all of whom have the potential to be an insider threat.
The most dangerous aspect of insider threats is the fact that the access and activities are coming from trusted systems, and thus will fly below the radar of many detection technologies. Particularly in the latter two categories, malicious actors can erase evidence of their activities and presence to further complicate forensic investigations.
- Focus on the right assets. Bad guys want what you value most, what we call your businesses’ “crown jewels.” Identify the most-valuable systems and data, and then give them the strongest defenses and the most frequent monitoring.
- Apply deep analytics. Humans are creatures of habits: They come to work at the same time and do familiar tasks. The same can be said for how they use and interact with technology. Deep analytics and AI can uncover deviations in behavior at the level of individual employees, which can make it much easier to spot indications that systems have been compromised. We recently helped a customer collect and analyze terabytes of such data, and within 15 minutes they saw violations of policy that they didn’t know existed.
- Know your people. Understanding the users who hold the potential for greatest damage is critical. Addressing the security risks that these people represent, and the critical assets they access, should be a priority. In particular, monitor IT admins, top executives, key vendors, and at-risk employees with greater vigilance.
- Don’t forget the basics. In security we love the newest tools. But getting the basics done well can make the biggest impact on insiders: Applying software patches automatically closes that open window before a hacker can use it to access your network. Enforcing strong standards for user identities and passwords means stealing credentials is that much harder. Collecting all the data and forensics you can on every device that touches your network makes sure you’re the first to know if you’ve been hacked, not the last. But forget technology altogether — user awareness programs are the key to educating insiders. Train your people, test them, and then try to trick them with fake exercises. These basics make a disproportionate impact but they do require work and perseverance.
Trojan Horse / Logic Bomb
Botnets / Zombies
Social engineering manipulates people into performing actions or divulging confidential information. Similar to a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems.
Man in the middle attack
An attacker pretends to be your final destination on the network. If a person tries to connect to a specific WLAN access point or web server, an attacker can mislead him to his computer, pretending to be that access point or server.
Other hacker tricks to avoid
Be sure to have a good firewall or pop-up blocker installed
Pop-up blockers do not always block ALL pop-ups so always close a pop-up window using the ‘X’ in the upper corner.
Never click “yes,” “accept” or even “cancel”
Infected USB drives are often left unattended by hackers in public places.
Every company needs to have a security program
No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. Such a plan is called a security program by information security professionals. A security program provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you keep the program and your security practices up to date.
Elements of a good security program
A good security program provides the big picture for how you will keep your company’s data secure. It takes a holistic approach that describes how every part of your company is involved in the program.
Your security program defines what data is covered and what is not. It assesses the risks your company faces, and how you plan to mitigate them. It indicates how often the program will be re-evaluated and updated, and when you will assess compliance with the program. The key components of a good security program are:
- Designated security officer
- Risk assessment
- Policies and Procedures
- Organizational security awareness
- Regulatory standards compliance
- Audit compliance plan
The right Approach
Everyone needs to have a security program because it helps you maintain your focus on IT security. It helps you identify and stay in compliance with the regulations that affect how you manage your data. It keeps you on the right footing with your clients and your customers so that you meet both your legal and contractual obligations. Its life cycle process ensures that security is continuously adapting to your organization and the ever-changing IT environment we live in. And, of course, it’s the right thing to do because protecting your data’s security is the same as protecting your most important asset.
Back-up important information
- No security measure is 100%, What information is important to you?
- Is your back-up: Recent?
- Off-site & Secure?
- Process Documented?
Defense in depth
Defense in depth uses multiple layers of defense to address technical, personnel and operational issues.
Never use ‘admin’ or ‘root’ or ‘administrator’ as a login for the admin
A good password is:
private: it is used and known by one person only
secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal
easily remembered: so there is no need to write it down
at least 8 characters, complex: a mixture of at least 3 of the following: upper case letters, lower case letters, digits and punctuation
not guessable by any program in a reasonable time, for instance less than one week.
changed regularly: a good change policy is every 3 months
Beware that someone may see you typing it. If you accidentally type your password instead of your login name, it may appear in system log files
Combating cyber security tips
While the threat of cyber-attacks is growing, many organisations struggle to even get the basic safeguards in place to protect their infrastructure and data. Practical security measures that emerged from the roundtable included:
Regularly patching firewalls
Setting strong passwords
Changing the password your Wi-Fi router came with
Asking employees who use their own devices at work to install anti-virus software and to switch on firewalls.
Find the Motivation
Security awareness is important for all aspects of life, not just in the workplace. This is especially true in today’s always-on culture, where people are routinely exposed to phishing, password challenges, data theft and other social engineering tactics. By raising awareness of security issues and concerns in a wider context, such as how to better protect their families and personal finances, employees will be more engaged and their emotional interest will be sparked.
Creating an air of healthy competition will raise interest in the awareness program, especially where departments are encouraged to compete against each other for the top spot based on factors such as which caught the most phishing emails or reported the most suspected incidents.
Employees will be more engaged if the program is fun to take part in. For example, by using gamification techniques for personnel in security operations centers, not only do participants have fun while honing important incident response skills, but they will become more adept at protecting the organization in the process.
Form Security Awareness Allies
Promoting security awareness doesn’t have to be the sole responsibility of the security team, which is often understaffed and time constrained. By getting other departments or branch locations involved, individuals outside of security can help to be the eyes, ears and voice of the program.
Publicly recognizing success is key to making employees feel valued and can easily be done via the intranet, newsletters, internal marketing materials and general recognition from management. These methods may be preferred over monetary incentives such as gift cards or extra paid time off. Employees will come to expect that such rewards and may lose interest should they be suspended, perhaps because the budget for such incentives is withdrawn.
Keep It Simple and Aligned to the Business
While crucial to the business, security is certainly not the main reason most employees were hired. Therefore, focus on specific incremental goals rather than trying to be all-encompassing and attempting to achieve too much too fast. Identify the behaviors the organization wants to promote and align this to business results so that employees can understand the value security has in protecting the overall organization.
Internal evaluation of security measures.
There are a number of free security options online, which makes these tips easy to implement.
At a higher level, senior IT professionals should also be encouraged to share information among their peers and competitors, as one participant pointed out: “Security transcends competition.”
Source: security intelligence.