Andy Taylor, APMG's Lead Cyber Assessor reveals the top misconceptions about cyber security
One of the greatest challenges for organisations attempting to address cyber security risks is the number of fundamental security myths that cause organisations to incorrectly assess threats, misallocate resources, and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security.
This piece gives the background to these popular Cyber Security myths and sets out why there is more than meets the eye.
1. Cyber Security is an issue for the IT department
There is no doubt that cyber security comes largely from implementing appropriate technical controls to safeguard information held within an organisation. However, the biggest issue today is in regard to the Users of the systems where this information is held. They represent the biggest risk either through intentional actions (a disillusioned member of staff for example) or by accidentally doing something unwise. The recent Verizon report on Data Breach Investigations found that 63% of confirmed data breaches involved weak, default or stolen passwords.
The most common threat today is ransomware, the encrypting of your files by an attacker who then demands a ransom to release them. The way this attack happens is usually based on sending an email to a member of staff with an attachment – perhaps a Word or Excel file of a supposed invoice or order acknowledgment. The staff member opens the attachment and looks at the file before realising it is rubbish. The act of opening the file downloads the malware onto the computer and the rest is then history.
Educating staff to not open attachments or to not click on links within emails is one of the most important areas for organisations to concentrate on today. Whilst it is possible to put technical controls in place to stop attachments or links being accessed, it tends to be at a high cost to the efficiency of staff and so is often not appropriate.
The risks from cyber-attacks are no longer just a technical problem. The recent attacks on TalkTalk, Sony, Target and others have resulted in serious financial damage being done to the company itself and so the problem is now a Boardroom issue that has to be managed at that level just like any other risk to the business.
2. Software is the key to solving this issue
Good software management is the number one process required to deal with most cyber-attacks. It covers two of the five basic controls that CESG has listed as part of its Cyber Essentials scheme. It is effective in reducing the likelihood of a successful attack and in mitigating the effects. However, in isolation it cannot achieve everything. People are the biggest threat to secure information processing and they must be educated sufficiently regarding exposing their organisations to danger. Technical solutions for cyber-attacks can be implemented but there is a fine balance between imposing controls to create a safe IT system and making it unusable as a work tool for the staff.
3. It’s not all just a question of keeping the bad guys out
It is now widely understood that there are only two types of organisation – those that know how to deal with a cyber-attack and those that don’t even know that they have been breached. Whilst this seemingly cynical view may be slightly overstating the problem, there is no doubt that most organisations that are serious about protecting their information understand that a successful attack, insofar as a successful attack gets someone unauthorised inside the organisation’s network, is inevitable. For most organisations, the basic implementation of the five controls identified by CESG as Cyber Essentials basics would prevent the vast majority of all straightforward attacks. They will not deal with the very sophisticated or prolonged, targeted attacks but most organisations (particularly smaller ones) are not facing these types of threats. These five controls implemented effectively, then regularly monitored and updated, are the ones everyone should be doing and Cyber Essentials should be a basic starting point for all security.
We have to accept that simply trying to keep the bad guys out is no longer good enough – although still very important. We need to work towards a much more proactive defence whereby unauthorised activity within a network is quickly identified and appropriate actions taken to deal with it. This proactive defence needs well-developed and implemented processes throughout all areas of the organisation from the management of hardware, through to software patching and to user education. In all cases these processes need to be able to respond rapidly to change, to different unforeseen threats, to aggressive attackers and to be able to make changes in the way systems deal with the attack. For small organisations this is not really an issue. However, for any organisation holding significant amounts of sensitive or personal data, they must look at trying to get to a stage where their systems can identify attacks quickly and then automatically change themselves to stop the attack being successful – or at least to minimise the damage that occurs.
4. Small or medium businesses are not going to be attacked
A 2015 HM Government report confirms that 74% of small and medium-sized enterprises (SMEs) reported a security breach and that only 7% of small businesses expect information security spend to increase in the next year.
Whilst you might think you are not likely to be a target for an attack from the internet, the very opposite is the reality. The fact that you are a small organisation suggests to attackers you might be doing less to protect yourself. They will therefore see you as an easy target and see what information you might have that could be valuable or useful to them. That might be information about clients, customer details, bank details or it might be as a way into one of your customers’ systems where you are linked through e-commerce, by email or in some other way. Ransomware is one of the most common attacks today that could affect anyone.
Ransomware affects both SMEs and individuals alike. The attackers are clever. They do not ask for millions from those whose data they encrypt. To unencrypt the files they ask for a sum of money that is significant but “acceptable” to the victim. In the case of an individual it might be £50. For a small organisation, perhaps £250 – enough to make a nice income for the attackers and small enough that their victims are likely to pay. If it were too much the victim would simply throw the PC away and start again.
The weak point is the user who clicks on links in emails or opens attachments. And before paying the ransom to get back to “normal” operations, just remember there are many gangs out there who will share your information. The evidence that you are willing to pay will quickly be passed around to other similar groups. Expect more visits!
5. Manufacturers should make computing safe – then we wouldn’t need to worry about it.
There is no doubt that the manufacturers of software, hardware and other devices (routers, phones, etc.) should be doing their best to supply secure systems for us to use. Things are undoubtedly getting better – Windows 10 is widely accepted as being one of the most secure Microsoft operating systems there has ever been and manufacturers have realised that security is now important to users whereas previously it was seen as an obstacle to the way they wanted to use the system. But it is often the users themselves who are unpredictable and unreliable. They do the wrong things without thinking; accidentally or out of malice aforethought. Technology can go so far but there is a difficult judgement call between the usability of systems and the security placed on them. If they are too secure then users find ways around the security or do not even use that system at all; they might use a much less secure way of accessing information such as through open Wi-Fi points or via smart phones.
6. I don’t have anything worth stealing
We all have personal and sensitive data that we want to keep to ourselves. It doesn’t matter whether it is covered by any legislation such as the Data Protection Act or not. We do not want to share everything with everybody. But there is a problem – one of the primary purposes (if not the only one) of the World-Wide-Web when Sir Tim Berners-Lee invented it was to share information. It is not surprising then, that if information is put onto the web it is visible to a wide variety of good and bad people. So storing information that we regard as personal or sensitive on the web is always going to be an issue. It is essential to ensure that the more sensitive or personal information is better protected.
This includes protecting information stored on our local PC, tablet, phone or other device. Whether we like it or not, if that device can access the internet it is part of the World Wide Web and is, therefore, potentially accessible to anyone on the internet. Encrypting information at rest (stored) and in transit (moving electronically from one location to another) is one of the fundamental ways of protecting information but it is not done all of the time. Many newer devices encrypt data at rest automatically (most Apple devices for example) and some have it as an option (Windows 10 and many phones) but it needs to be activated. Using unencrypted links to the Internet is becoming (slowly) less common but we must all realise that end-to-end encryption using a virtual private network (VPN) or similar is the only really secure way of managing information in transit securely.
“Imagine that everything you are typing is being read by the person you are applying to for your first job. Imagine that it’s all going to be seen by your parents and your grandparents and your grandchildren as well.” Sir Tim Berners-Lee
7. The Internet of things is a wonderful development.
The Internet addressing protocol IP V6 will provide every single device in the world capable of being connected to the internet with their own unique address so that they can be individually contacted. This includes washing machines, fridges, cars, TVs, heating, lighting, etc. At first glance this seems like a huge step forward allowing individuals to control these different home systems from anywhere they have internet access. It will make life easier in so many ways. It will also make life easier for the criminals and those intent on doing damage to, or making money out of, everyone else.
Cyber defence experts talk about the cyber-attack surface. What this describes is the whole environment through which cyber-attacks can be launched. Once upon a time there was just office-based equipment and so to gain access the criminal often had to physically get inside the building to steal information or the equipment. The defences were standard locks and keys, burglar alarms and the like. Now, the attacker only needs access to the internet in order to achieve their aims.
The weakest link in any chain will always be the preferred way of attacking. So whilst we might be very careful regarding safeguarding our banking details when we use a computer or even our phone, attacking through the fridge is the more likely option because our systems will see the other devices on our local network as safe and therefore trustworthy. Are manufacturers of fridges, heating systems and the like taking care of security appropriately? The indications thus far are not really since we have already seen instances of cars being attacked and the electronics controlling them being used to stop the car remotely. Hospital equipment that is used to provide medication in hospital has also been hacked. Machinery in factories has been damaged by viruses engineered to infiltrate via the office administration system onto the shop floor industrial control systems. It is hoped that the designers of future domestic and industrial products will recognise the importance of devices capable of being addressed across the internet are potential routes into our most sensitive and important information and systems.
Author - Andy Taylor - Lead Cyber Assessor
Originally published - 12 May 2016