Understand the essence of cyber security and the issues facing digital, internet and mobile users.
What is cyber security, and what kinds of security threats and implications face personal and business users of the internet and digital realm? These questions often confuse and occasionally overwhelm, as we’re bombarded on an almost daily basis with horror stories of major hacks, data breaches, and abuses of online privacy.
Building on our basic introduction to malware, viruses, and spyware online, in this article we’ll be looking not only to answer the question “What is cyber security?” but also to simplify some of the complexity surrounding its methods, and the security issues facing individuals and corporate users of digital, internet, and mobile technologies.
We’ll start with the basics.
What Is Cyber Security?
The word “cyber” is a fairly recent addition to the English vocabulary, and is a general term used to describe things in the world of computers, information and digital technology. And “security” is a term that’s been around for a very long time, which concerns the safety of people, corporate entities, and institutions, in the face of threats and dangers.
So it should come as little surprise that cyber security is a blanket term covering the people, processes, and technology involved in protecting computers, networks, mobile devices, software applications, and data from attacks and attempts to gain unauthorised access.
Cyber security embraces individuals, organisations, networks, and the infrastructure that connects them. And it runs the gamut from the protection of physical assets and hardware, through to the technology and procedures used in safeguarding digital assets such as software and information, and the assessment and management of the risks facing each of these environments.
Total security is an impossible ideal. No matter how “foolproof” a system or business process may seem, there’s always scope for something to go wrong. And with the ingenuity and resources available to hackers and cyber criminals, new threats and new methods of exploiting weaknesses in techniques and technologies are constantly developing.
The best that individuals and corporate bodies can hope to achieve is to manage the risks that they face in the best way possible. A risk management strategy for cyber security requires an understanding of the threat landscape, knowledge of the risks that are most likely to be relevant, and the establishment of procedures for reducing vulnerability to these threats.
Basically, this all boils down to:
- Becoming aware of what’s out there, and what’s likely or possible to hit you, then
- Taking steps to reduce the likelihood of you being affected, and
- Making plans for how to respond, and minimise the damage in the event that your precautions fail.
Cyber Security Tools and Methods
There’s an entire industry that’s grown out of the sale of cyber security tools like anti-virus applications, password managers, and data encryption software (which scrambles information, so that it can’t be read), as well as dedicated security hardware, and the contracting out of related services.
But tools and talent will only go so far. A comprehensive approach to cyber security requires not only these assets, but also the information and methodology needed to make the strategy effective.
Cyber Security and Regulatory Frameworks
Frameworks are sets of rules, guidelines, and best practices which provide a formalised structure for individual operators and corporate bodies to follow in order to beef up their security stance, or meet the requirements of regulatory compliance regimes and the law.
Frameworks for cyber security typically take the form of a set of recommendations. They may also describe procedures and tools that may be used to put those recommendations into practice.
Ten Steps to Cyber Security, a report issued by the National Cyber Security Centre (NCSC, a division of UK intelligence headquarters GCHQ) to help business executives get to grips with the subject, is an example of this approach.
In terms of regulatory compliance, frameworks will typically spell out the exact conditions that organisations or individuals will have to satisfy in order to continue operating in a particular industry, discipline, or market sector, without running the risk of fines or legal action.
The recently launched General Data Protection Regulation or GDPR is one such framework, created by the European Union (EU) to set conditions guarding the data privacy of its citizens and residents.
There are many different frameworks in existence, and organisations have to be careful to choose the ones that are most effective and appropriate for them. After all, what is cyber security to one business may be too complex, or not far-reaching enough, for others.
Based on the demands of the law, regulatory requirements, and the conditions of their own working environment, organisations are usually advised to draw up a formalised policy, laying out how security matters should be handled.
Security policies will usually spell out what practices are permissible and which ones aren’t, in promoting and maintaining cyber security for the enterprise. They’ll also specify the powers and privileges that every member of the organisation has in respect to things like network and database access, control of intellectual property, and other issues. Fines and penalties for abusing corporate security policy may also be laid out here.
The security architecture of an establishment is the structure of physical hardware, software applications, procedures, partnerships, and related services that maintain and monitor the cyber security of the enterprise. These may include:
- Physical security measures: Gates, security cameras, scanners, locks, identity tags, and associated hardware.
- Access control: The mechanisms and procedures that keep unauthorised users or visitors at bay.
- Authentication and validation: Methods of ensuring that only authorised members of an organisation or invited guests can check in and out of the networks and resources they’re entitled to.
- Intrusion detection and/or intrusion prevention: Hardware and software that guard against attempts to infiltrate networks and systems by hackers and spies.
- Monitoring: Qualified security and IT personnel, dedicated hardware, and/or automated systems running constant checks against threats and signs of infection or system compromise.
- Incident Response: Deployment of specialised teams of responders, in the case of alerts or confirmed evidence of an attack.
Cyber Threat Intelligence
With new attack methods and new strains of malware (malicious software) emerging or being developed even as we speak, much of the security challenge for private individuals and businesses lies in staying on top of the latest happenings in the world of cyber security. This is where cyber threat intelligence comes into play.
As its name suggests, cyber threat intelligence consists of detailed information (or intelligence) on current security threats, the people, technology, and criminal organisations currently responsible for them, and the latest methods for combating the threats that they pose.
Cyber threat intelligence may come in several forms. Common among these are online databases, white papers (advisory documents), discussion forums, specialist consultants, and pools of shared knowledge drawn from experts in the field, and from organisations that have been affected by cyber threats of various kinds.
Security Awareness Training
With human error, poor judgement, and just plain foolishness often assisting hackers and cyber criminals more than the malicious software and other tools they use, it’s important for network and internet users to become aware of the threats they actually face, and the best methods for avoiding them. That’s where cyber security awareness training comes into the picture.
Aside from raising awareness, the aim of security awareness training is to instil a culture and attitude that makes cyber security and risk management a part of daily life.
This training may be formally conducted (e.g., by a business organisation), or sought out independently. Interactive exercises, tests, and engaging presentation techniques are typically used to explain prevailing cyber threats, the risks to individuals and businesses, and best practices for staying safe.
All the tools and security training in the world don’t help if systems and people crumple under the pressure of a real security incident or hacking attack. So many business enterprises conduct what are known as random penetration tests. These are the equivalent of live drills, for fire or emergency response.
In penetration testing, external contractors are usually called in and given a free hand to stage a cyber attack on an organisation’s network and personnel, using various methods such as brute force assaults on passwords, email and message phishing (trying to fool people into giving up sensitive information, visiting booby-trapped websites, or opening file attachments loaded with malware), or overloading system resources.
The goal of these exercises is to gauge and monitor the performance of workers and incident response teams under the pressure of a real attack, and to highlight areas where the security defences of an enterprise can be improved.
Penetration testing is typically performed by security professionals who have a familiarity with the latest hacking techniques, but use these skills for benevolent purposes. So if you ever come across terms like “white hat hackers” or “ethical hacking”, this is what they’re referring to.
Security Threats to Personal Users
In terms of what is cyber security for the individual, the sad truth is that it’s a precarious environment out there, and pretty much always has been. Among the numerous security threats facing personal users of networks, the internet, and mobile devices are:
- Malicious software or malware, in general: Traditional computer viruses, Trojans or Trojan Horse programs (look like one thing, actually do another), and worms (software capable of reproducing itself so that it can spread from one computer to the next over a network), plus things like spyware, adware, and key-loggers (which can record your strokes on the keyboard, or mouse movements) are all examples.
- Ransomware: A specialised breed of malware that can immobilise complete systems by encrypting all the information on them, so that the owner can’t understand or access it. Victims are extorted for money (usually in the form of Bitcoin or some other cryptocurrency), for the keys to unlock their devices. The likes of WannaCry and Petya have wreaked havoc and made considerable sums for the criminals distributing them.
- Crypto-jacking software: Programs hidden inside otherwise legitimate software or websites that hijack a user’s or visitor’s system resources to mine for cryptocurrencies.
- Phishing and social engineering: Bogus messages (email, SMS, false advertising, or voice calls) aimed at getting victims to divulge useful information, or at leading them to download malicious file attachments or visit web sites booby-trapped with malware.
- Identity theft: Gathering of personal and business information (from browsing activity, social media, company profiles, etc.) that enables cyber criminals to impersonate victims, or sell their digital identities on to third parties.
- Information leaks: Exposure of personal, financial, and other sensitive data due to hacks, security breaches, mobile apps with links to third parties, or indiscreet practices online.
Security Threats to Businesses
Business organisations are composed of individual people, so of course all of the above security threats apply to businesses as well. But in addition to the personal threats, there are other more institutional cyber security risks that businesses have to consider. These include:
- Infiltration of corporate networks: This may occur through direct action (such as successful attempts at password breaking) or indirectly (e.g. using spyware slipped to an employee through a phishing email).
- Corruption of corporate data: If hackers gain access to corporate information, in some cases they can insert their own data as acts of sabotage or market manipulation.
- Theft of intellectual property or copyright infringement: Secret projects, hot new products, or top-selling existing material that can be pirated for profit or claimed as someone else’s are all vulnerable, here.
- Leakage of company credentials: Often as a result of workers using office email and other credentials on public sites like social media, which are then hacked.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: Organised assaults against online services, networks, and web applications that clog the system so that users can’t get through.
- System hijacking: In extreme cases (or as the final pay-off for sustained attacks known as APTs or advanced persistent threats), individual systems or entire networks may fall under the control of cyber criminals.
- Insider threats: Often overlooked as a possibility until it’s too late, the work of disgruntled former employees or dissatisfied current ones can lead to mistakes or deliberate attempts at sabotage that give the upper hand to cyber criminals.
So, what is cyber security, and what does it involve? All of the above, plus techniques and tools to bolster your security stance and provide protection against known and unknown threats. We’ll be considering some of those in our next instalment of this series.