Cyber security is a mysterious and complex area of the computer industry that no one understands. Both yes and no. It can be complicated, and the broad scope of the term “cyber security” leaves many wondering where to begin to become secure. Indeed, when consulting with customers and conducting audits, “where do I start?” is frequently the first question I am asked. If this question is not correctly answered, then the real problems can begin.
Common belief holds that in order to improve cyber security in an organization, money must be spent on technology, the more the better, and the job is completed. The costly firewall, cutting-edge intrusion detection, and the most recent anti-malware solution are all products and technologies that claim to protect us from the most recent threats and those with malicious intent. I’ve spoken with network specialists who claim that with these systems in place, they are fully protected and unhackable. My reaction is to pose a question. What if one of your employees unintentionally clicks on a well-crafted phishing email, inadvertently supplies some user credentials, downloads malware that can bypass existing systems, or shares confidential information?
The firewall has been effectively bypassed, and there is a good chance that an intruder has gained access to at least some portion of the network. Can this network administrator be certain that all systems, including network switches, wireless access points, PCs, Macs, firewalls, and phones, have been fully patched against all known vulnerabilities that are ready to be exploited? Can they be certain that their passwords are strong enough to withstand brute-force attacks? Do they examine the logs of their expensive equipment on a regular basis for any unusual behavior? Can they detect unusual behavior in these logs, given the massive amount of data to sift through?
In an ideal world, all of the questions would be answered positively, but we are all human, and the workload of maintaining systems is growing as complexity grows.
Technology is of course a very important part of the cyber security jigsaw, but there are other areas that are equally vital to get right, even before investing in technology is considered. The three most common ways that organisations and individuals get breached, or in other words, are put in a position where private data is compromised, has been the same for many years.
First place goes to what is now called social engineering, which is a fancy term for getting conned. Phishing attacks through email, SMS messages, voice calls, even physical tricks such as dropping USB pen drives with important sounding labels around the car park (a similar method to that which brought down an Iranian nuclear facility) are all part of a multitude of methods attackers use against unwitting people. Why attack an unhackable firewall when you can trick a very hackable person?
Second place goes to unpatched systems. We all know about Windows updates, but every system that runs on software (which is most of the world these days) has bugs. These bugs are found over time, and some of them can lead to systems being able to be attacked and compromised. Vendors release patches to fix these holes, but all these holes are known. The first thing an attacker will do when first gaining access to a network, perhaps through a phishing email, is scan the network with a vulnerability scanner to find unpatched systems, exploit them, and move around the network this way.
Third place is awarded to weak passwords and password management. Even the most complex 8-character password can be cracked in less than 40 minutes using free tools on an average computer, most in less than two. A 12-character password with lots of complexity can take hundreds of years to find, but a weak one just using lower case letters can be cracked in seconds.
So where does this leave us if technology alone can’t protect us? Should we close our email system to stop the phishing emails? Turn off the computer as we can’t keep up with the updates and go back to pen and paper? Have passwords that are 30 characters long full of complex characters? These steps would certainly make you more secure but are totally impractical. To make cyber security effective, it must be able to be used by people. This is where we need to look at how we can achieve this.
The key is to get the basics right, and these have little to do with technology and more to do with people. It comes as a surprise to many that good cyber security has as much to do with the human element as it does with technology. If staff can be trained to be aware of common threats and attack methods, a large percentage of these threats can be eradicated. If people are encouraged to create effective passwords, and use 2-factor authentication, a lot of the problems associated with this can be mitigated. If an effective, automated patching regime is in place, systems are hardened against easy attacks.
And how do we enforce these good practices. It starts with properly written and relevant polices that detail these good practices, and this also applies to firewalls, switches and all other equipment. These policies also include the correct ways to handle data, how we should work from home, standards that are to be upheld with relation to IT and much more. If good practices are in place, the people that were once a threat to the organisation, can become an asset in the fight against attacks; the human firewall. Once we have the policies in place, the people on our side, the technology can start to be built out to protect us. These three pillars – people, policy and technology – are the building blocks of cyber security.
The final question is of course, what are we protecting? Despite this being the last point, this is the foundation of cyber security from which everything else grows. We need to know what we are protecting and it is vital to confirm this before any other steps are taken. To find out what to protect we need to perform a physical and data asset inventory to know what data and systems we have, where it is and what value it has. Data is usually the most valuable asset. A risk assessment should then be performed on this data and the most valuable data given the highest form of protection. Once we know what we are protecting, the risks involved with it and the consequence of it being breached, we have a foundation. We can then start to build policies in relation to what we have found, train our staff in these policies and then apply technological controls to align with the policies. Get the basics right, and the rest will follow.
About Afreen Technical Solutions, your IT support partner
ATS is one of the most trusted IT Support Providers in Abu Dhabi. Do not hesitate to contact us, If you want any IT Related Problem OR Tech Support. We are just a TOUCH AWAY from your smart phone
Please call OR Email…