Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
No company wants to be the target of cyber criminals. Attempts to steal data, IP and personal information, encrypt data to get money or create botnets for mounting other forms of attack are increasing all the time. The cyber security challenges that companies encounter continues to grow in the face of an increasingly organised and hostile Internet-based criminal fraternity.
There are however some fundamental things to get right if your business wants to stay crime free. They are the online equivalents to closing windows and locking doors as a defence against real-world crime – and they can really help.
The list is not intended to be complete and there are other obvious controls that are important too – like staff awareness training or having anti-virus software installed. However they found that when those types of controls failed, it was this list that was most useful to try and avert an attack or minimise its effects. So when antivirus software fails to pick up a brand new virus, there are steps beyond it that become part of the essential line of defence.
Operating system vulnerabilities are common, and to a cyber criminal they represent an open window. They are easily detectable and a simple way to access a system and the data, user credentials and files it contains.
The diversity of systems and the challenge of knowing whether business applications will still operate on the latest patched OS versions, coupled with the need to plan in downtime for servers, does make patching more complicated. The frequency of updates and their deployment is a challenge for large and small environments. However, this is an area that simply must get focus if companies want to avoid being a victim of cyber crime.
For many businesses there is a lack of knowledge as to exactly how well the process of patching vulnerabilities operates. Understanding where residual exposures are is therefore a key report to have at one’s disposal.
As with operating systems, the applications we use can contain vulnerabilities too. Once again these can be like a known open window to cyber criminals.
In the same way an operating system can be exposed and used to access systems and data files, data sent to applications can achieve the same end and it is applications that we use to open documents, PDF files, emails and spreadsheets.
The complexity here is greater, as for every system that has one operating system on there might be dozens of applications all from different vendors; and users might even install their own.
Hence the problem is magnified and the importance of making sure the latest versions/most up to date patches are installed is just as great.
There are two aspects to this.
One is that users with administrative accounts have enormous ability to do wrong if they become disillusioned or dishonest or compromised in some way. So it is important to make sure that people only get the access they need to do their jobs. If that is a highly privileged account then there has to be a process to validate that they need it (and that when they no longer do, it’s removed) and a way of monitoring their use.
The second aspect to this is that there should be controls around what admin users can do – in view of the threats they pose when using those accounts. For example, allowing admin users to access email and or browse the internet is risky as a stray link, a drive-by download or other piece of malware can gain an enormous foothold if it is triggered by someone with the keys to the kingdom.
Administrative users have the power to allow or grant themselves these kinds of conveniences or abilities, even if policy forbids it and so preventing and monitoring these configurations and settings is important.
As such it is not just the administrative process of granting/revoking the high level accounts, its controlling and monitoring what is done under them when they are used.
These days there is an application for almost everything.
Give a person with sufficient grasp of computers and the Internet a problem, and a few searches later they will have found a software solution and be in the process of installing it.
The challenge for IT and security teams is two-fold, one is the plethora of applications and software they have to accommodate and manage, the security issues and patches, or the range of data types and silos of information.
Then there is the perennial risk that these solutions actually introduce processes or data flows that themselves are security challenges.
For example, a cloud-based contact management solution that allows the business user to track and share contact information; but which also (from the security point of view) exposes potentially sensitive data to a third party based who knows where. Software download and installation records, as well as the results of asset or software inventory processes are key in detecting these types of threats – or at least flagging them.
Where authorised or standard applications are used it is important that they are configured to provide a degree of security protection. This is particularly relevant for web browsers as they are a major touch-point between the user’s systems and the content pushed out on the Internet, including that put there by cyber criminals who have malicious intent.
The way in which sites or content or files are trusted, and the latitude users have to ignore security warnings, bypass requirements for security checks or download material, all determine the chances of someone in your organisation ending up as a “patient zero” for some form of malware or browser based attack.
Macros are still a common way for malware to spread. The ubiquity of Word and Excel and their rich programming languages means that these applications and documents containing macro code can introduce significant risks.
If enabled, macros can be invoked by downloaded or received documents and there is a clear threat of a malicious criminal actor being able to get their code running in your environment by virtue of a user opening a file that they believe to be harmless.
Backups are a key part of business resilience, and where hardware fails or data is corrupted they have been known for some time as being indispensable.
In the world of cyber crime and ransomware though they also are critical to being in a position to avoid paying a ransom (and hence funding further crime) and avoiding data loss when systems and files are maliciously encrypted.
Some “ransomware” is actually faulty and data decryption might not be possible, or it might – as in the case of NotPetya – be designed to look like ransomware but actually not allow decryption at all, so backups are the only true way to avoid data loss.
The importance of backups on both servers for critical files (which should already be in place), and also at the workstation level (which is much less likely to be comprehensive) has never been as great – making sure that the schedules are running and that failures are resolved so data sets are timely and complete is essential.
Multi-factor authentication (MFA) is a good idea but can be intrusive. How and where you use this technology is therefore often a local risk decision – but for web site/app-based customers and highly privileged users it is a powerful way to avoid the inherent weaknesses of passwords that are often poorly chosen, used across multiple systems or written down.
If a user’s keyboard is being sniffed or their password file is exposed, or if the web site backend data containing the user credentials is stolen; multi-factor controls might be a saving grace. Preventing access to accounts by attackers and criminals, even if they do know the passwords to get past the initial login prompt, is becoming much more widely expected for sensitive data and high level access.
As we said at the outset, the recommendations above are not exhaustive. There are many other security controls needed to provide a robust defence and keep a network crime free. However the safeguards and processes listed here, based as they are on practical experience of past breaches, are the most essential ones to have in place and working effectively. They account for the commonest attacks and those attempts by cyber criminals to subvert specific controls like anti-virus gateways or proxies.
The level of maturity in these areas, if it can be monitored and tracked over time, is a fair bellwether for the overall cyber resilience and risk posture of the business and the best way for the board to understand the cyber crime risks it faces.
If you have got these controls in place and working effectively, you will be much safer than if they are ineffective or not in place at all. If you don’t know how well your business is performing in these areas, then it is important to find out.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.