This page contains a Flash digital edition of a book.
So what are the biggest threats to your organisation and how you can secure it against them?


The Human Factor


Many of today’s threats are highly sophisticated, but often the starting-point for a targeted attack is to trick individuals in the company into doing something that puts the company’s security at risk. Unfortunately, businesses often ignore the human dimension of security. Even if the need for staff awareness is acknowledged, the methods used don’t achieve positive results. Yet we ignore the human factor in corporate security at our peril, since it’s all too clear that technology alone can’t guarantee security. So it’s important for organisations to make security awareness part of their security strategy.


Threats to privacy


Every time we sign up for an online account, we disclose information about ourselves; and companies around the world actively gather information about their customers. The threat to privacy takes two forms. First, personal data is put at risk if the provider of goods and


The Cloud


There are two key factors driving development of cloud services. The first is cost: the economies of scale that can be achieved by storing data or hosting applications in the cloud can result in significant savings for any business. The second is flexibility: data can be accessed any time, any place, anywhere – and from any device, including laptops, tablets and smartphones. But as the use of the cloud grows, so too will the number of security threats that target it. It’s important that businesses understand that, while they may outsource the handling and storage of their data, they can’t out-source responsibility for the data itself. If their provider’s systems are breached, and data is exposed, they are responsible. Therefore, businesses need to assess the potential risks in just the same way that they would if they were storing data internally. There are also other issues that need to be considered. These include where the company’s data will be stored geographically, the legal jurisdiction that will apply to the data, what steps will be taken to secure the data on their provider’s systems (including how it will be secured from others who use the same


threat of malware, but also from data leakage – either through loss or theft of a mobile device. The impact on corporate security is twofold. First, security policies must be revised to reflect the changes in working practices. It’s no longer possible for IT departments to defend the traditional network perimeter. Instead, they must apply a security ‘wrapper’ around every employee – so that they are protected wherever they work and whatever device they use. Second, the tools deployed across the business must be flexible enough to implement this ‘follow- me security’ policy.


Out of date software and vulnerabilities


One of the key methods used by cyber- criminals to install malware on victims’ computers is to exploit un-patched vulnerabilities in applications. This relies on the existence of vulnerabilities and the failure of individuals or businesses to patch their applications. Cyber-criminals typically focus their attention on applications that are widely-used and are likely to be un-patched for the longest time – giving them a sufficient window of opportunity to achieve their goals. Java vulnerabilities currently account for more


cyber-crime


services we do business with is compromised. Second, companies aggregate and use the information they hold about us for advertising and promotional purposes, even where it’s unclear that they’re doing this, or how to opt out of this process. We all need to realise that our personal data has value – to cyber- criminals and legitimate businesses alike. It’s also important to understand that the risk of over-sharing extends to the organisation we work for: cyber-criminals actively gather public data in order to frame targeted attacks against businesses.


For this reason, organisations need to raise awareness among employees about the risks associated with sharing information online. We’re all predisposed to trust web sites with a security certificate issued by a bona fide Certificate Authority [CA], or an application with a valid digital certificate. Unfortunately, not only have cyber-criminals been able to issue fake certificates for their malware – (using so-called self-signed certificates), they have also been able to successfully breach the systems of various CAs and use stolen certificates to sign their code. The problem can be compounded if a security vendor automatically adds an application with a stolen certificate to their white-list of known- good applications.


© CI TY S ECURI TY MAGAZ INE – S PRING 2014


provider) and the logistics involved in migrating the data to another provider in the future.


Mobile


The traditional ‘work place’ is disappearing. So the task of securing data has become harder for businesses as staff increasingly conduct business ‘on the go’: at home, at the airport, in the hotel – or anywhere else they can get a wireless signal. It’s not so much that the traditional network perimeter has disappeared. Rather it has become fragmented – and moves around as employees do. This has increased the points of exposure to malware and hackers. Business security is also being affected by a related development, the growing use of smartphones at work.


IT departments now have to manage a heterogeneous mix of endpoint devices: desktops, laptops and smartphones – often a variety of different smartphones. The problem is exacerbated because many people use the same device for personal and business use – a trend often referred to as ‘bring your own device’ [BYOD]. So loss of data on a device may be bad news not just for an individual, but for the business too. It could adversely affect the company’s reputation, or put confidential data into the public domain. So the potential risk comes not just from the


than 90 per cent of attacks, although other applications, such as Adobe Reader, continue to attract the attention of cyber-criminals. To reduce the ‘attack surface’, businesses must ensure that they run the latest versions of software, apply security updates as they become available and remove software that is no longer needed in the organisation. The use of a vulnerability scanner to identify un- patched applications will also help to minimise the risk of such applications being overlooked and being exploited by cyber- criminals to gain access to business systems.


Criminals will always exist, whether in real life or in the cyber-world, and businesses will always be targets. However, as we have demonstrated, there are areas of weakness that if businesses protect, they can minimise the risk of attack. Ensuring that all members of your organisation are united in the fight against cyber-criminals, and know what to look out for when it comes to attempts to breach security, will mean your business remains strong enough to fight and live another day.


David Emm Senior security researcher, Kaspersky Lab


www.kasperskylab.com > 23


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40