Cybersecurity Understanding the Vulnerabilities 2
Published on : Tuesday 30-11--0001
“Bring Your Own Device” (BYOD) is a challenge for organisations. By allowing employees to use personal devices like smart phones, tablets and laptops, organisations may benefit in terms of increased productivity, reduction in IT costs, greater support for the mobile workforce and improvement in employee satisfaction. Mostly employees are unaware of the risks associated with the use of unapproved applications for data transfer. Such apps are being used as the shortest route to get their tasks done. Hence an organisation need to make their employees aware of the effectiveness of cloud applications on resources by the organisation’s IT department. There should be some solution or tool to deny high risk application usage on any employee device.
If BYOD policy is not strictly followed, it will also lead into high security risk. Few examples of risks which can occur due to lack of BYOD policy are like backing up data on devices, controlling wireless network, breaking service connectivity, etc.
In a 2018 survey of cybersecurity professionals, 53% said their organisations had experienced an insider-related attack within the last year. And respondents were split on whether they worried most about accidental mistakes such as clicking on phishing links (51%) or malevolent employee behaviour (47%). Organisations should implement strict policies to avoid such risks. All employees should get engaged and trained to detect any digital abnormality. It helps in preventing cyber attacks or identifying and fixing those before they spread across the entire network.
Risk Mitigation
As noted in a recent ASSOCHAM-EY joint study, only 4% of organisations are confident that they have fully considered the information security implications of their current strategy, and that their risk landscape incorporates and monitors relevant cyber threats, vulnerabilities and risks. It also said that cybersecurity should no longer be viewed as a function of information technology (IT) or information security alone, it needs to form an integral part of culture and strategy of the organisation and should be reflected in each and every facet of the organisation, right from the strategy to the behaviour of an individual employee.
Calculating the risk requires different parameters as inputs. The Exposure Factor (EF) is the percentage of value an asset lost due to an incident. The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. The Annualised Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). There are two key processes to manage risks. First one is risk assessment and another is risk treatment. Risks assessments involve identifying, prioritising and quantifying risks against criteria for risk tolerance and objectives relevant in the organisation. It should be carried out regularly to ensure it addressed changes in security, risk situation and environment, especially when key changes take place. Whereas risk treatment involves risk mitigation, risk acceptance, risk avoidance and risk transfer.
Risk Mitigation means applying adequate controls to lower the risks. Risk acceptance is pointer towards objectively and knowingly not taking action. Risk avoidance indicates evading risks by ensuring actions that cause the risk are prevented. Risk transfer or risk sharing means the risk with third parties such as suppliers or insurance companies.
Risk appetite is the level of risk an organisation is prepared to accept. Its constraints are not easy to define, every organisation can tolerate different levels of risks. In cybersecurity world, risks are calculated based on three factors – Loss of Confidentiality, Loss of Integrity and Loss of Availability. Especially in the current market, things are driven by data or more logically meaningful as term “information”. It is very important to maintain it in secured way. Also there has been significant technology changes and along with that, there are changes in the way cyber attacks are being performed. It is important that top management of companies should invest in finding security vulnerabilities and should not compromise security risks.
In terms of information security, security of any system is based on taking three main aspects into consideration – confidentiality, integrity and availability. Confidentiality means controlling who gets to read information. Integrity assures that information and programs are changed only in a specified and authorised manner. Availability makes sure that authorised users have continued access to information and resources.
For example, to enhance security levels, PLC (programmable logic controller) machines need to include multiple embedded features such as hardware security keys and multi-layer password structures. Use of hardware security key authentication prevents programs from being opened or edited on unapproved personal computers that have not been “bound” to the security key. PLC CPUs can also be paired to the security key and programs will not run unless this hardware match exists. This also has the benefit of protecting the intellectual property of the control system. Additionally, whitelisting IP which is also known as IP filtering should be used to register the IP addresses of devices approved to access each PLC or any such HMI (Human Machine Interface). This makes unauthorised access much more difficult. It increases defence in depth.
Another important and mostly ignored point – market identity of any organisation is based on many factors, one key parameter why customer trust organisation is the strong feeling of security. Just for an example, if you have a bank account in say XYZPQR bank – you saw news on television that few of bank accounts of this bank got compromised by recent cyber attacker – how likely you wish to continue with that bank account? More or less it can happen to any organisation who got compromised by cyber attackers. Higher security risk is not good for any organisation’s identity in the market. If an organisation is compromising to security by their unwillingness to spend, then they are directly compromising to the risk of damaging their own brand identity in market as well. Putting cybersecurity at the heart of an organisation’s strategy will help maintain and even enhance the trust of not only consumers but also regulators and the media.
Let me try to give few insights on one of essential implementation needed for all organisations to reduce regular risks of attacks through internet. Intrusion Detection and Prevention Systems (IDPS) is most current standard with combination of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Further there are host based IDPS and network based IDPS. Host based system monitors activity on a particular computer host or device such as a router. It lacks in seeing attacks performed on other devices. Network IDPS observe traffic in the similar form of sniffer. It monitors activity across a network link. It lacks in seeing attacks across discrete switched network connections, as it only can see attacks on promiscuous connections. It is important to choose proper network switch design, otherwise it can even prevent an IDPS from detecting attacks occurring on the systems connected to other switch ports. IDPS and such tools can act as an effective way to mitigate attacks from specific geolocations or from known IP address ranges. It does not mean, that it will completely eliminate cybersecurity risks, but it will reduce the overall risk at certain level by preventing hacking attempts from the excluded IP locations. Such tools have more configurations to block specific traffic types or even auto blocking of IP address for repetitive login attempts and similar rules to make hacking more difficult. IDPS should be implemented in three stages. Firstly, there should be network IDPS watching the traffic between systems on backbone segments and individual subnets. Secondly host based IDPS should be running on each of the servers, routers and critical network devices. Lastly, IDPS should be configured properly to auto-notification, disconnecting from network whenever necessary, auto drop user’s connection for possible hacking of data detected and similar.
As shown in Figure 1, between internet and firewall there should be Network IDPS (N/W IDPS). Demilitarised zone (DMZ) is a physical or logical subnetwork that contains and exposes an organisation's external-facing services to an untrusted network, usually a larger network such as the Internet. This DMZ area also require an IDPS. It is important that production servers or production environment should not have direct access. Wherever applicable, there can be quite a few host IDPS as well. Such deployed and always functioning IDPS implementation will be more suitable for any organisation to prevent maximum possible cyber attacks.
Organisations should proactively invest in such recommendations as best security practices.
Reaching a balance
Security trainings are essentials to all employees. It should involve customised training starting from physical security staff till top management of organisation. Everyone should have enough knowledge and clarity about their responsibility for security of organisation’s interest and assets.
The periodic security audit is essential to minimise risks. It is recommended to have regular security audit at least once in a year. More the frequency of audit, will reduce most likely security risks, hence will eliminate successful cyber attacks. It is important to choose partners properly. For example, when any organisation looking for IIoT partners, they should know their rights under contract and the partner’s willingness to accept audits in terms of frequency and duration.
Mostly organisations prefer only third-party independent security audits. It has many reasons bound to it. When hiring an independent auditing firm, select one who is familiar with the unique challenges of organisation along with actual IoT and cloud security experience, as well as proper certifications such as CISA. If any organisation initiating an audit, most important points are to clearly define organisation’s objectives, priorities, requirements and unique risks and any required deliverables from the auditing firm. It is always needed to get a Statement of Work (SOW) that details how they will conduct the audit to meet your objectives. It is essentials to implement IT best practices. Also, enough importance should be given to document and follow responsibilities, procedures and policies.
There is no short cut to reduce risk of cyber attacks for any organisation. In short to summarise everything as balanced solution will have combination of – top management’s initiative to make organisation secured, awareness within organisation, frequent third-party security audits followed by fixing open issues, regular monitoring of environment, adopting security best practices and adhering processes with readiness for handling any upcoming security incidents.
Captions
Pix1: In a 2018 survey of cybersecurity professionals, 53% said their organisations had experienced an insider-related attack.
Pix2: A typical Intrusion Detection and Prevention Systems (IDPS). Source: The Security Buddy
Pix3: Between internet and firewall there should be Network IDPS.
