Chapter 8 - Cyber Security Threats Flashcards
Questions to ask about Cyber Risk:
- How are data and operating systems protected from unauthorised access and manipulation?
- How are breaches identified, analysed, remedied and reported?
What is cyber security?
- Practice of protecting systems, networks and programs from digital attacks
- Cyberattacks are aimed at: accessing, changing or destroying sensitive info, extorting money from users or interrupting normal business processes
Examples of sensitive info:
- Customers, suppliers and employee personal data
- Org’s own financial records
- Data stored within infrastructure and operating systems
- Medical data from employees, customers and other stakeholders
- Intellectual property which may be of value if it can be illegally accessed
- Operational data – locations of sensitive assets
Cybersecurity objectives:
- Availability
- Confidentiality
- Integrity of data
- Integrity of processing
- Establishing, maintaining and approving objectives
Cybersecurity objective - availability:
- Availability objectives = opening data up to those who have the right to access it
Cybersecurity objective - confidentiality:
- There are legal requirements to maintain confidentiality over data across many jurisdictions
- Confidentiality objectives = stopping data from being accessed by those who do not have the right to access it
Cybersecurity objective - Integrity of data:
- Objectives should ensure that data is kept secure and not lost or corrupted at all stages of life cycle
- Objectives to verify reliability of data used for decisions (source), its intelligibility (what it is saying) and accuracy (is it valid?)
Cybersecurity objective - Integrity of processing:
Objectives should ensure:
- processing does not abuse or lose data
- encourages efficient usage and
- ensures that data is only used for stated, legitimate purposes
Cybersecurity objective - establishing, maintaining and approving objectives:
- Org’s need to have formal process for establishing, maintaining and approving cyber security objectives
- Objectives would need board approval – dedicated cybersecurity expert or IT expertise
- Support from third parties creates trust issues, which creates risk
- Boards need to monitor success of objectives
Organisational characteristics to consider when setting objectives:
- Technologies
- Connection types and service providers
- Delivery channels
Considering technologies used as part of business model:
- Proportion of activity that is online
- Amount of digital interaction with customers and other stakeholders
- Type of data collected and way it is used + stored
Considering connection types and service providers:
- Connection types = physical or virtual, wired or wireless, networked or standalone, national or international
- Reliance on service providers creates cybersecurity risks – cloud-based computing and managing valuable data
What is cloud-based computing?
Solution for providing digital storage and processing that uses a separate org’s capacity and is only accessible online
Risks of cloud-based computing:
- Loss of data if provider is affected by an incident itself
- Reliance on a functioning network to gain access to own data
- Concerns over whether cloud computing provider is susceptible to cybersecurity breach
- Legal action from org’s stakeholders if data is compromised while stored on a cloud computing provider
Considering delivery channels for data:
- Website:
* Collect data + interact with stakeholders
* Creates risk to sensitive data - Intranet:
* Internal website that can be accessed remotely
* Creates risk to digital data - Email:
* Spam is main risk – includes interception, eavesdropping and spoofing (impersonation to gain advantage)
* Compromises integrity of email and requires controls to be in place - Telephone:
* Subject to eavesdropping and interception
* Compromise confidentiality of discussions - Instant messaging:
* Spoofing as SPIM (IM equivalent of spam)
* Could lead to service charges for users + highlights limited controls - Social media:
* Can be accessed illegally
* Creates risk that messages are posted that org has not approved
Cybersecurity objectives should be considered in terms of PESTEL:
Political:
* New legislation raising security standards
* Global geopolitical cybersecurity risks – state-sponsored data hacking and foreign investment in utility companies who can access personal data
Economic:
* Failure of systems due to hacking/ poor design and operation can cost org’s significant amounts of money
Social:
* Customers are increasingly sensitive to impact of security breaches – requires org’s to understand and meet social concerns for better protection of all data
Technological changes:
* Advances in tech is likely to be exploited by organised cybercriminality for profit
* Does provide opportunities as well such as artificial intelligence and big data to monitor digital activity more thoroughly
Environmental changes:
*Hurricane, earthquake or tsunami – org’s need contingency plans in place
Legal:
* New regulation to protect against cybercrime
* Sarbanes-Oxley = encourages org’s to be proactive in development of cybersecurity policies and this raises compliance levels which could be stipulated in contractual agreements
Risks presented by systems and networks:
- Remote access instead of physical – anyone can gain access if they have right credentials
- Systems being left open to allow operations to occur – need to know who to let in and who to stop
- Failure by third parties who provide systems and networks
- Natural risks such as flood, power cuts, earthquake and accidents
What is malware?
Attempts to gain unauthorised access to org’s in order to damage/ disrupt computers or networks and steal/affect sensitive info
What is a virus?
- Attaches itself to existing programme and spreads as that programme is used, shared or accessed across existing network
- Require a target/host user to initiate it (user clicks on it)
What is a worm?
- Does not require user to launch it to cause damage
- Standalone software – don’t attach themselves to host/target programmes
- Operate independently – enter a systems via an existing vulnerability and spreads as host/target operates normally
What is a trojan?
- Will not spread once infiltrated a network and has been launched by user
- It will sit within network and can operate functions such as harmless pop-up ads to more serious forms of malware that can allow access to external users
What are bots?
- Automated process
- Web crawlers gather info and does not always represent a malware threat
- Botnet = access a series of networks and allow malicious user to control them remotely
- Some act as keyloggers = record keys pressed by users in an attempt to access password-protected content
Transportation of malware:
- Accidentally downloaded by users from internet
- Unknowing attached to emails and then accidentally clicked
- Inadvertently carried on storage devices (USB drives)
- Sophisticated malware can spread independently across computers and networks
Internal & External Malware threats:
Internal malware threats:
* Employees could fail to observe cybersecurity protocols
* Employees who hold a grudge could deliberately introduce malware either for financial gain or fun
External malware threats:
* Hacking for extortion, publicity, spyware or revenge
Defences against malware:
- Perimeter defences (firewalls) = spot threats as they pass through and monitor actions of emails once they have entered org’s systems for illegal activity
- Segmentation into different compartmentalised parts to help contain infiltrated malware
- Housekeeping activities = ensuring software and systems are regularly updated and taking regular back-up copies
- Gatekeeping controls (e.g. I am not a robot)
What is hacking?
Gaining access to info that you are not meant to access and without users knowledge (illegally)
What is phishing?
- Theft of login details, credit card numbers or passwords for personal gain
- Requires personal info to be divulged willingly for a purpose that appears logical but is criminal
- Incredibly effective method of using email to circumvent org’s controls
What is ransomware?
Extorting money by blocking access to files or systems until a fee is paid
What is Distributed denial-of-service attacks?
- Disabling a system by bombarding it with more activity than it can cope with
- They can focus on volume = sheer no of contacts made can disable systems
- Some trigger certain applications, flooding target systems with requests that keep it busy
- Protocol based DDoS generates requests that require specific responses, flooding the targets system with too much activity
Examples of web application attacks:
- Hacking
- Phishing
- Ransomware
- DDoS
Defences against web application attacks:
- Firewalls
- Antivirus software that is kept up to date
- Other operating software that is legitimate and supported by developer
- Encourage better user education
- Filters to block potential malicious emails
- Adaptive technology to spot new and emerging threats
- Systems of trust
- Certify emails by independent certification (McAfee)
What is a white-hat hacker?
- Work for owners of a system
* Look for gaps in the systems and informing owners of weaknesses to be improved
What is a black-hat hacker?
- Find gaps in cybersecurity and exploit them for own malicious purposes
What is a grey-hat hacker?
- Won’t be working for owner of a system
- Flag weaknesses and fix them for a fee without exploitation
- Or post details online for all users to see if there is no response from owner
What is social engineering?
- Exploiting someone’s trust to gain physical or virtual access to data
- Occur digitally or in real world by blagging or somehow finding a way into company (fake identification, uniform or cover story)
- Dumpster diving for old, disposed machinery
Opportunities from white-, black- and grey-hat hackers:
- Black-hat hackers can create malware threats that could lead to extra costs, lost data and additional work that could be prevented by having adequate defences
- Security testing – using white-hat and grey-hat hackers to test security defences
- Simulations – white-hat hackers can conduct simulation tests to train staff and raise awareness
- Peer review – audits by peers can lead to comparative analysis to highlight areas for improvement (less resource intensive approach)
Downside risks form cybersecurity breaches:
- Lead to operational downtime while it is addresses – may lead to lost of sales
- Cost of repairs/ upgrades can be significant
- Adverse impact on company’s share price
- Questions may emerge over quality of org’s leadership and management
- May be loss of customers if dissatisfied with service
- Loss of reputation
- Legal and industry consequences – breaching GDPR can lead to fine of €20million or 4% of global revenues, which ever is higher