- January 1, 2019
- Posted by: Bernard Mallia
Prefer to listen?
If you prefer to listen to, instead of reading the text on this page, all you need to do is to put your device sound on, hit the play button on the left, sit back, relax and leave everything else to us.
Cybersecurity is becoming increasingly important for organisations and individuals as a result of the growing number of attacks on businesses, government systems, and private citizens, as well as an increase in the sophistication of the attacks. The threats are continually evolving, and today’s defenses do not always manage to keep up the pace. The successful attacks on several big companies with rather robust cybersecurity systems in recent cybersecurity history are all examples of the risks that anyone who is online is continuously facing.
Securing data holdings before they are compromised and having second and third lines of defense has thus become paramount, as well as a matter of legal compliance in a number of cases, such as where personal data in the GDPR definition is involved or where the organisation in question is a subject person to the NIS Directive. Businesses can learn how to do just that by adopting a risk-based approach to cybersecurity. Risk management includes a comprehensive plan for protecting information assets from all threats through awareness, education, policy development and enforcement, security technology implementation (including testing), security design review and remediation, incident response plans, business continuity plans (including business resumption planning) and regulatory compliance.
A good starting point is always to develop an inventory of your information systems (including Internet applications), their various software strata, as well as computers or other devices that connect directly or indirectly with those systems, where they are physically located and how they connect to corporate Local Area Networks (LANs) and the Internet. The completion of this exercise should be followed up by a risk mapping exercise using a “risk matrix” or scoring system based on the likelihood of harm resulting from the compromise of any one of the assets identified in the inventory; this could be measured in terms of financial costs, but beyond pure pecuniary costs, it also needs to put a monetary value on loss of reputation or brand value due to poor customer service arising out of any downtime that is inevitably caused by an attack on critical systems. The score should also factor in the potential reputational and regulatory consequences of lost or stolen confidential client data in the event of a breach and should identify the most likely source of the breach with the intention of taking precautionary measures for those breaches not to happen.
Next comes a Risk Assessment. An organisation can conduct its own assessment using internal staff members with security expertise who understand risks inherent within their respective domains. Alternatively, they can engage external experts to evaluate the current state of activity related to cybersecurity by assessing vulnerabilities associated with potential breach(es).
This should include the following at the very least:
Access control is the process of providing users and applications with access to network resources. Each user or application should be provided with a set of specific privileges. These privileges must be granted by an entity that has authorisation over the requested resource(s) in order for the request to succeed (i.e., granting access to a user account on a file server requires the approval of an administrator).
Access control and access revocation, together with access monitoring, are three fundamental tenets of secure networking. Network architectures should be designed to support each of these tenets, even though several are not. Access control and access revocation is based on the concept of layered security. The main idea behind layered security is that multiple entities in a network can share information through increasingly strong trust relationships, from devices to users and applications. As defined by the USA’s National Institute of Standards and Technology (NIST), layered security systems consist of three basic layers:
- Authentication : The process of verifying the identity of an entity attempting to gain system access;
- Authorisation : The process that assigns rights or permissions for an authenticated entity; and
- Accountability : The process used for monitoring or identifying actions performed by an authorised user or device.
There are two main methods for managing access control: centralised and decentralised. A centralised system, such as Kerberos, provides security services at a central point in the network, which makes it easier to manage than a decentralised system, such as ACLs or RBAC. However, having all authentication requests pass through one location increases risk exposure and constitutes single-point-of-failure concerns that can impact availability depending on how well protected this central point is from attacks. Regardless of which method is used, some common components are in use:
- Identity: The unique identifier associated with an identity or group;
- Policy: The set of permissions attached to an identity or group; and
- Access Control List (ACL): A list that defines what entities have access to resources within the environment. ACLs can be applied at different layers like host level, subnet level, individual IP address level, etc. When designing your ACL policy you should take into consideration external threats (i.e. intruders), internal threats (e.g. disgruntled employees), as well as privileged users who may attempt unauthorised modifications in your environment without authorisation.
Centralised systems are typically tied directly into an enterprise directory service while decentralised systems require more manual configuration but provide stronger enforcement capabilities because they rely less on network connectivity due to their distributed nature.
When implementing any type of identity management solution, it must be configured so that each entity only has one account in order for the credentials not to get inadvertently leaked across multiple accounts. Another important step is ensuring each account has its own strong password , preferably randomly generated , never reused , long (at least 12 characters) , containing upper case letters , lower case letters , numbers and special characters to prevent brute force attacks.
NIST SP800-53 outlines five mandatory requirements regarding administrative access controls, namely:
- Role assignment validity period – role assignments should have limited lifetimes so administrators cannot maintain privileged roles indefinitely;
- Role definition – administrative roles must include all privileges required to perform assigned tasks;
- Roles must not contain unnecessary privileges – excess privileges increase risks associated with allowing these accounts administrative permissions;
- Privileges assigned directly instead of through roles – only assign authorised privilege sets using role assignments rather than adding multiple separate permissions individually per service / resource owner;
- Account provisioning life cycle – processes should exist for resetting passwords, disabling accounts and revoking access.
Privilege separation, where processes running under high privilege accounts do not have full control over resources located higher up in the identity hierarchy are also a proven best practice.
Lastly, in implementing identity management solutions, well-thought techniques need to be used for revoking access rights from users, as well as invalid or terminated entities in the shortest time possible when necessary. User accounts, particularly for users with administrative roles should have limited lifetimes so administrators cannot maintain privileged roles indefinitely. This should decrease risk exposure over time while also helping mitigate risks associated with allowing these accounts administrative permissions until they are no longer needed.
Access monitoring is the process of auditing user activity, such as logins and access to files. It records events that you choose to monitor once they happen in your network so you can monitor them for suspicious activities in real-time and have the possibility to retrieve a log of the same activities at a later date if necessary. There are two main types of access monitoring:
- direct (i.e., monitoring user activity directly); and
- indirect (i.e., monitoring audit trails).
Direct methods usually require software on each device to be installed whereas indirect methods rely solely on network-based logging mechanisms which increases the amount of overhead needed to implement but lowers costs as it does not require any software/hardware purchases beyond the initial investment for your existing infrastructure. Each method offers different levels of granularity.
A honeypot is typically a prominent hidden or protected resource where users cannot gain direct access into production systems but can be used as a way to lure and identify malicious users both in real-time and via log analysis. The honeypot strategy has a wide basis of applicability ranging from email spamming detection and elimination all the way to displaying a false prize with which to detect, and countenance successful intrusions.
An IDS attempts to detect intrusions based on specific patterns and behaviours associated with malicious adversaries. IDSs are typically devices or software applications that monitor a network or an information system for malicious activity or policy violations. Any malicious activity or violation is typically blocked until reviewed by a human and is then reported or collected centrally using a security information and event management system. Several types of IDSs exist. These include, but are not limited to, signature-based detection, anomaly-based detection, and behavior-based detection IDSs.
Log Analyses are typically performed manually by investigators looking for suspicious activities within logs that have been generated by security devices and applications on a network or information system. Despite being a reactive rather than a proactive approach to security, it can determine the nature of an attack or a botched attack attempt post hoc and can provide useful lessons for cyber-defense in the future.
Database Auditing systems monitor database tables and data sources for any changes made against application tables thus identifying unauthorised modifications or deletions related to data stored in those databases. Data poisoning has been designated as one of the biggest threats to AI systems now and in the future, thereby making Database Auditing systems a very important monitoring tool for AI systems.
In addition to Database Auditing systems, mechanisms need to be in place to prevent intrusions and attacks from occurring in order for auditing capabilities alone to validate security infrastructure effectiveness.
Social engineering (or phishing) is an attack vector that uses various techniques – such as manipulation, deception and the abuse of trust – to manipulate a person into performing actions or divulging confidential information. These attacks are not limited to computer systems, but may also be directed at personal contacts found on social media websites such as Facebook, Twitter and MySpace.
Social engineering tests are usually conducted following anti-social engineering training to find out how employees respond to social engineering tactics after having been warned against them. The goal is not only to find the number of employees that open a phishing email or answer a phishing call, but also the number of workers who actually fall for the attack.
Penetration testing entails launching hacking attacks against specific IT assets within the network in order to assess weaknesses in existing controls such as weak passwords associated with privileged accounts used for administrative purposes (a classic case where insider threats abound). In many organisations, these privileges are shared among several employees so there is little control over who actually uses them after-hours when no one else may be around who might detect unauthorised use or abuse.
Social media is an effective tool for managing and engaging with your audience. However, it can also be a security risk if your organisation’s social media accounts, or any one of its’ employees’ are not secure.
An effective way to mitigate the risk of attacks is to embed security awareness training into your organisation’s culture. Social engineering tests are conducted to find out how employees respond to social engineering tactics. The goal is not only to find the number of employees that open a phishing email, but also the number of workers who actually fall for the attack.
Our social media security testing service allows us to access your social networks using fake accounts, without being detected as bogus users. When creating the fake accounts, we select names that match the profiles of real employees in order to blend in seamlessly with other members of the company’s social sphere. We then proceed to gather data about the organisation from its employees’ public posts on Facebook, Twitter and other sites, which we use to try to gain unauthorised access to corporate servers by hijacking employee identities or otherwise taking advantage of their privileges.
Our goal is always to identify vulnerabilities that will expose your network and inform you about how you can prevent cyberattacks against your computers and servers via social media. Social media is an effective tool for managing and engaging with your audience. However, it can also be a security risk if your organisation’s social media accounts or those of its employees are not secure.
Physical security testing is conducted to find out if the building’s safety features can be bypassed or disabled by unauthorised individuals. It is a means of testing the physical, operational and environmental security of your organisation. It involves assessing door locks and windows, as well as electronic access control devices such as card readers and keypads. We also check the location of fire extinguishers, emergency exit signs, fire alarms systems and sprinklers to ensure that they are functioning properly, as well as trying to get into the building without authorisation.
An organisation also needs procedures for its own staff members to understand what constitutes suspicious behaviour within their respective domains (whether it relates directly or indirectly to information systems) and how best they can report these events up through established hierarchies without fear of reprisals.
Likewise, there must be policies covering all aspects of cybersecurity including:
- precautions against phishing scams aimed at enabling hackers to gain access into your network through malware installed on employee computers connected via wireless networks;
- insider threats arising from employees who misuse privileges associated with administrative accounts;
- unauthorised use or theft of company assets such as laptops including mobile devices used by employees;
- accidental loss due either electronic media containing confidential client data such as usernames, passwords, etc.;
- physical loss where sensitive documents containing trade secrets are lost or stolen during unsecured transport from one location another; and
- denial-of-service attacks.
There should be HR policies addressing social engineering techniques used by hackers seeking unauthorised access into your network over e-mail typically using spoofed sender addresses designed to entice recipients into opening links malicious programs like Trojan horses embedded within attached files that execute automatically once opened, infecting computers triggering “ransomware” attacks crippling entire organisations unless victims pay a ransom demanded by hackers and threatening damage if payment is not made immediately. And finally there should also be regular training programmes designed specifically for introducing employees to corporate security policies and specific cybersecurity considerations so that they become familiarised with work practices associated with good cybersecurity measures while allowing them sufficient flexibility so that training requirements don’t become overly burdensome either financially or logistically.
- Cybersecurity Governance Frameworks
- Threat Assessments
- Disaster recovery and business continuity
- Network Security
- Application & Information security
- Operational security
- Physical Security assessments for on-premises servers
- DOS and DDOS stress-testing
- Penetration Testing (some specialised penetration testing is conducted by our partners in the UK and Germany)
- Anti-social engineering training
- Cybersecurity training for non-technical people
- Honeytrap setups