search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
rsecurity made simple


Vulnerable insider (moderate motive, high opportunity, high method)


Bribed or blackmailed, vulnerable insiders tend not to have a history of wrongdoing with the firm, and so are harder to detect. Attackers might exploit gambling or credit debts, a growing problem among young professionals. Method and opportunity are high as the attackers can coerce the insider, whose clean record allows them to act undetected, negating some of the technical security. Motive can be lowered to moderate through employee engagement.


WIMPS (low motive, moderate opportunity, moderate method)


By ignoring SOPs, WIMPS create opportunities for attackers. Mitigation is through staff engagement, training and awareness. Identifying how and why SOPs and protocols can be circumvented leads to new policies and procedures to deter attacks.


Unwitting employees (low motive, high opportunity, moderate method)


Staff can inadvertently create opportunities for attackers who use scams such as ransomware (computer malware that takes the victim’s data hostage, with demands for money to release it), and various forms of phishing. Two enterprise-level phishing threats are:


Spear-phishing: directed at individuals and companies to gather information about the target; accounts for most current attacks.


Clone-phishing: clones an existing legitimate email, replaces its attachment or link with a false version, and re-sends it apparently from the real sender; can spread quickly among duped parties who trust each other. Mitigation is by reducing opportunity and creating a culture of cyber awareness, so staff understand, recognise, and avoid such threats.


Cyber awareness culture


Creating awareness is difficult, but can be achieved by training on SOPs and on individual roles in company security; staff who misunderstand the purpose of security can become WIMPs by finding ways to circumvent it. Cyber security is too often based on surveillance, technical complexity, and


© CI TY S ECURI TY MAGAZ INE – SUMMER 2017


deliberately keeping information away from staff on a misdirected principle of ‘need-to- know’. The reverse is usually true:


• Empowered employees support security and help identify and eliminate vulnerabilities.


• Staff who feel untrusted might see security as directed against them, and find ways to defeat it. Morale, productivity, and staff turnover can be adversely affected.


• A better principle is to start with trust, and view staff who cannot be trusted to be part of the company’s security as less valuable employees.


Four principles help create a strong cyber security culture:


1 Ensure everyone from CEO downwards understands and adheres to SOPs.When managers ignore rules they alienate staff and create opportunities for attackers; note the rising prevalence of CEO and senior management impersonation in emails and online, so-called ‘whaling’ attacks (where an email or web page targeting a senior manager can purport to come from a known senior internal or external stakeholder, for example with a false claim for compensation or a false client approach).


2. Make training interactive, with posters,using game-playing techniques, practical exercises, and entertaining media such as ‘xkcd’ web-comics.


3. Training should always contain something new and interesting. Any training needs tailoring to the audience, but the aim is to create cyber situational awareness. This includes basic technical education, explaining unfamiliar terms.


4. Encourage feedback and track the success of specific outputs.


Cyber situational awareness


Knowing how cyber attacks work reduces method and opportunity. Technical methods can be explained by linking cyber principles and concepts to physical equivalents. For example:


• Not logging-off unattended computers or smartphones is like leaving houses or cars unlocked.


www. c i t y s e cu r i t yma g a z ine . com


• Sensitive documents on unprotected network drives is like leaving them in paper form on unattended desks.


• Disreputable websites are run by untrustworthy people who misuse or exploit you and your information as if you had engaged them face to face in a disreputable nightclub.


Technical solutions


Appropriate technical mitigations are also important, with solutions dependent on each company’s unique risk assessment. Examples include:


• Controlling access privileges • Encrypting sensitive files


• Password security following guidance from GCHQ and the National Cyber Security Centre


• Robust physical site security and resilient internal infrastructure


• Appropriate firewalls • Secure, snapshot backups • USB dongles


• Using social media technology to help screen those who need access


•Web-verification tools to protect against specific types of attack


Conclusion


Cybercrime is a rapidly growing concern with commensurate risks and costs. Most threats have equivalents in the physical workspace and are often best understood and managed as such.


By using the ‘Motive x Method x Opportunity’ approach within a robust risk assessment framework that complies with acknowledged standards, in particular ISO 31000 and ISO 27000 series, some businesses can save resources and combat cyber threats by focusing less on complex technical solutions and more on physical and human ones.


Michael Yeomans Intelligence Analyst, Pilgrims Group Ltd.


>


7


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39