Monday 28 July 2014

Hacking humans...

There is undoubtedly more news coverage on security breaches or hacks into some well-known companies.  When large retail chains like Target in the States, or massive online websites like eBay get breached, the concerns about losing data and the impact on the consumer is massive.

Technology will protect us…

There are many technical solutions that can protect organisations, from traditional security solutions such as anti-virus software, web filtering solutions, email filtering solutions, firewalls, intrusion detection and prevention, encryption, secure authentication and endpoint lockdown solutions.  There are new technologies, which use sandboxing technologies, behavioural analytics, data analysis tools, and next generation technologies refining and enhancing the traditional security solutions.

With all these solutions in place, it would be difficult to believe that organisations are still being breached, but yet most of these technologies are in and running in these organisations.  These systems are not infallible as a number of technical solutions were subject to a major security flaw, when the Heartbleed bug was highlighted.

Legislation will protect us…

There are many legislations when looking at Information Security, but although many are there to protect information, such as the Data Protection Act, Freedom of Information Act, Privacy and Electronic Communications Regulations, Computer Misuse Act, Terrorism Act, Official Secrets Act, Malicious Communications Act and even the new Data Retention and Investigatory Powers Bill.

Although these acts look after the information of the individual, an organisation or what the people can see, these are not safeguards to protecting organisations.  These legislations would have done little or nothing to prevent the breaches that typically occur.  

ISO 27001 and ISO 9001 are framework standards which can help safeguard the data through good practices, as can the PCI standard, but again organisations can adhere to these standards and still face the organisation being compromised.

Our people will protect us…

It is commonly joked within IT departments that "the problem is between the chair and the keyboard", implying that users are the weakest links.  It's not surprising as social engineering and more targeted attacks have the "look and feel" of legitimate communication.  When a large security organisation like RSA is breached it brings into question the users education.  In this situation, the spear phishing (specifically directed email) attack was launched and captured by the organisation's email SPAM filter.  The technology had worked, but the release of an important looking email and clicking on it, gave way to a breach that reportedly cost RSA $66 Million.

It is also believed that only 11 malicious spear phishing emails were received, all of which were caught by the SPAM filter, but it only took one person to instigate this PR nightmare.

User Education

It is often said that all compromises have used elevated privileges, which means the threats are targeting individuals because they have specific administrative rights or access to specific system.  Do not overlook the importance of user education and awareness.

The technology may to there capture some of the security threats, and legislations to help safeguard practices, but vigilant and well trained users will help organisations more.

No comments:

Post a Comment