Corporate cybersecurity: How to defend information values

Corporate cybersecurity: How to defend information values


IT resources and user data cybersecurity questions as a nowadays hot topic as prevention measures development.


The Phantom Menace? Unfortunately, no

Corporate infrastructure infosec issues are actual for most business owners and CEOs, CIOs, CDOs, and other heads of corporate IT departments. Not far for seven or ten years ago, those who strictly focused on cybersecurity were named as ‘paranoids'. The most ‘witch-hunting infected' fields were banks, official authority administrations, defense contractors, and private security companies. But even all of the security clampdown implemented by IT security depts of those organizations were not enough to provide total security. Their corporate networks had been suffered from cyberattacks, and businesses could crash at any time. And companies, where IT infrastructure and data cyber defense did not pay enough attention, suffered even much more.


Nowadays, cyber threats more complicated and more dangerous than we are ready to imagine. Only during the last five years, many companies across the world came under mass cyberattacks of such malware as BlackEnergy, TeleBots, CryptoLocker, GreyEnergy, Industroyer, Petya and NotPetya, BadRabbit, Buhtrap, WannaCry, TeslaCrypt, Nyetya. Their victims were included critical infrastructure and energy companies, financial institutions, transport and logistics companies, medical and pharmaceutical companies, software development, etc. No one can feel in total security.


Hackers' world has been transformed during the last decade. Solo hackers earlier aimed to win their competitors, the same solos. Nowadays, hackers join to create conglomerates and groups following all the corporate management rules. Those group organizations have their own call-centers, recruitment companies, developers and analytics, strategy planning and risk management.   


The same way transformed their product; simple ‘single' viruses morphed into a new form, multimodule programs, which can modify, fix themselves, adapt to the environment, and permanent variable information security. The previous purpose of viruses was coming into the spotlight to impress the world. New-day cyberattacks have a purpose of taking hold in infrastructure but staying below the radar as long as it's possible. During this period, hackers group explores system vulnerabilities, get access through bunglers' workstations, create a malware code, avoid information security traps, patch vulnerabilities in malware, and crash the system at last. It doesn't look like a movie gangster incursion. No, this is a strategic and tactic well-orchestrated mission that can be extended for months and even years.     


Remember the case of StarLightMedia Company that suffered from the BlackEnergy cyberattack in 2015. It demonstrates the lack of IT security measure in corporate networks in companies which have not strong cybersecurity policies. You can't feel safe in your company if antivirus has not to update regularly, some users deactivate a firewall, some users get unlimited access to all of the Internet resources including websites under suspicion, etc. Cyberattacks succeed in large part due to the human factor – in any company, in any team cybercriminals can find the weakest link, a muff who can make a cybersecurity phantom menace real.

A VARIETY OF CYBER THREATS

All cyberattacks prove – if you set a goal, you can hack any organization. The question is which method to use. Cyber threats are various, but they all focus on one thing, to compromise the system and users.


Cyber threats should be classified to select the right measure to remove or prevent them. It looks like a medicine diagnosis: we need to understand which medical problem we have been faced with, and then we can choose an adequate treatment.


So, cyber threats conveniently split up to two categories, external and internal.


Various external cyber threats include the following:

  • Malware – penetrate the system without permissions and often without users’ knowledge. They can provide confidential data breach, and/or can crash the system. According to Kaspersky Lab classification, a huge family of malware includes Trojans, worms, spy software, hoax, miners, spam, etc.
  • Ransomware – is a type of malware. It penetrates the system, encrypts files, and then output a message on the screen to a user, like a: “We will send you a decryption key after you pay a ransom”. Unfortunately, even you collect and pay that money, you will neither decrypt files nor recover the system.


Ransomware

  • Rootkit – specialized software that conceals a hacker or malware presence in the system and makes them invisible to antivirus or anti-malware; also, it can disable antivirus.
  • Phishing – is a simple but efficient cyberattack method: sending emails or messages which imitate messages from trusted sources. As a result, hackers get access to private users’ information. If the victim a person, he (or she) can suffer financially or through the private information leaks. In a case of phishing attack to a corporate network user, hackers can get access to all corporate data, including the commercially sensitive information.
  • Social engineering is a cybercriminal method based on the psychological impact on a victim to force him (her) make security mistakes or give away sensitive information. Often users are so lazy and inexact to facts checking, and hackers take the opportunity.
  • DDoS (Distributed Denial of Service) – is a type of cyberattack provided by many compromised computers (often infected botnet) to a single target system for delivering deny of service of that system at all. This method is considered as a tool of unscrupulous competitors.
  • Exploit – a large class of methods to give hackers non-permitted access to the system using holes in system software or security. Hackers can aim to get a rooting or crash the system.
  • Botnet – a network of infected computers, using as a tool for other cyberattacks: DDoS, phishing, spam, etc. A botnet is under hiding third part control. As a rule, botnets’ members don’t know the fact that their computers are connected to a botnet and using for malicious purposes.    


Internal cyber threats include various vulnerabilities in system software and security and a human factor. Users often do the following serious security mistakes:

  • keep their passwords and confidential information not secure enough;
  • sometimes somebody sells private or commercial data;
  • do not update antivirus software regularly or do not use it at all;
  • keep firewalls disabled;
  • open infected attachments to spam or phishing messages;
  • plug to their computers strange data storages (for example, a USB-flash that had been found outdoor);
  • visit suspicious web sites;
  • download and setup files from unknown sources, etc.


According to Verizon’s DBIR 2019 papers, users open 94% malicious emails.


Вредоносные рассылки - Статистика


What does all that mean? Unfortunately, all warnings of IT security experts are ineffective. Users still too much deceivable, naive and careless. Human mistakes are too expensive.

COMPUTER VIRUSES vs. CYBERATTACKS?

Contemplate computer viruses in opposite to cyberattacks are not correct, because viruses are one of the tools of cyberattacks. It is better to consider cyberattacks as the next evolution stage of computer viruses attacks. Nowadays, cyber threats are more complicated both in technology and organization context and have an integrated approach. It means that one type of threats uses for penetrating the system, another one – for making a lodgment and concealing of malware, the third one – for the attack’s purposes achieving, etc. Ambitions and purposes of hackers are changed in a similar way, and the aftermath of the information security damages became more destructive.


The most typical cyberattacks characteristics are the following:

  • the main target is corporate networks, largely Linux/Unix servers based on. This point is opposed to earlier computer viruses attacks targeted primarily to mass affection of Windows-based environment of the SOHO segment. In that time Linux servers were considered as a relatively safe environment;
  • a multi-stage attack scenario includes scrupulous preparation and planning, then gaining access to the object’s information network through the vulnerabilities of network protocols and operating systems;
  • fileless malware is quite widespread technology now. In this type of cyberattacks a part of components, like scripts, malicious code, etc., run in the system on a process level. That’s why antivirus and anti-malware software often cannot detect even traces of this malware. After crash and reboot, no logs are saved in the system, so, you never can know what kind of information was suffered, what data was sent somewhere, and destination point to leaks of your data. Prognosis of using these leaked data is impossible, too;
  • last years hacker groups have been attracted by rapidly growing IoT. Hypothetically the ‘coffee-machines rebellion’ possibility many sci-fi writers had been described already, but now those bloodcurdling scenarios are beginning to come true. So, in 2018 Global Threat Index of CheckPoint reported that a number of cyberattacks to IoT raised thrice from May to August 2018. Hackers use IoT devices to malicious code transmission, local network influence through compromised IoT modules and launch cyberattacks scenarios;
  • a ransom for files unblocking can be just a screen hiding the main security damage. Real targets of hackers can be a theft of users’ and network administrators’ accounts (which then successfully resold to Darknet), compromise of legal software, or interception of control of the system in order to disable it. In other words, for the victim, the total amount will be immeasurably higher than the ransom amount: as with any other extortion, the fulfillment of the demands of the attackers does not mean that you will now be left alone – on the contrary, the hardest problems are just beginning.


Note that cyber incident environment is totally unstable. Hackers’ tools improve, their methodology, and management approach, and purposes change. According to Positive Technologies research, the number of cyber incidents in the 1st Quarter of 2019 to 11% higher compared to the 1st Quarter 2018. You see that you need to implement comprehensive cyber security measures in order to defend your corporate information values.

ONE OF THE KEY TASKS OF A BUSINESS IS A CYBERSECURITY

To overcome such a complex, continually changing enemy, we need a comprehensive information security strategy. Corporate cybersecurity is a systemic, multi-level business process. Its essence is the preparation and implementation of measures to protect information systems, software, and apps from cyber threats, and prevention measures development, too. A corporate informational sphere is effectively protected in case of a reasonable balance between two contradictions extremes:

  • maximum of safety – when corporate information security aims to ‘prohibit all’, included Internet access from employees’ workstations, their own email accounts, USB ports, CD or DVD, smartphones, etc.;
  • maximum of workability – when users ask to permit all that can be efficient useful and won't reduce their business apps capacity: some system resources are indeed redirected for the antivirus and other security software operation, as a result of which the work of office applications slows down noticeably.


One of the key tasks of a business is a cybersecurity


An integrated approach to the implementation of information security is that protection must be carried out at three key levels – human resources, business processes, and technology:

  • human resources of the enterprise: all of employees should know and strictly observe the basic principles of information security: the choice of strong passwords, attentive attitude to email attachments, data backup, reasonable use of external Internet resources from work devices, etc.;
  • business processes and regulations: it is necessary to develop a basic set of measures to counter attacks undertaken and successfully carried out. It should explain how to identify attacks, protect systems, identify threats and counter them, as well as restore the working capacity of working systems after a cyberattack has been carried out;
  • technology is a key link in the information security system. The main components to be protected are the so-called end devices: computers, smart devices and routers, networks and the cloud environment. The most common technologies for protecting equipment are firewalls, DNS filtering, antivirus software, and email protection solutions.


Ensuring the infosec effectiveness is not an easy task, especially now that the number of digital devices has greatly exceeded the number of users, cybercriminals are becoming more and more ingenious, and the amount of valuable data is growing every minute. According to statistics, the total cost of cybercrime is expected to exceed $2 trillion this year, and another source prognosis the global cost of online crime is expected to reach $6 trillion by 2021.

HOW TO PROTECT THE INFORMATION SYSTEM CORRECTLY?

Cyber threats are spread in a global swing and inevitably led the world information community to the development of a unified system of information security criteria. Thus, cybersecurity standards were introduced. They describe the methodology for protecting the users’ or corporate information environment: all software, data, information systems, networks, storages, server and switching equipment, workstations, various gadgets with network connectivity, etc.


Cybersecurity standards have been developing from the 1990s, and permanently update considering dynamic of changes in the information security environment. They use as global as local context, and give countries a unified approach to information system protection. The best-known international cybersecurity standards are following: ISO/IEC 17799:2005, ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO 15408, German standard IT Baseline Protection Manual – Standard security safeguards of German Information Security Agency, British standards IASME, BS 7799-1:2005, BS 7799-2:2005 и BS 7799-3:2006, USA standards NERC and NIST, etc. These docs with maximum details describe information security processes and procedures, interpret terminology, and include various tools for cyber threats defending, and security concepts, politics, manuals, security measures, risk management concepts, best practice collections, guarantees and technology, and so on. It is quite clear, that a successful cybersecurity system must be based on cybersecurity standards.


One of the essential elements of corporate cybersecurity is an information security audit. An external audit from time to time provides by independent contractors, and internal audit permanently performed by corporate information security employees. Ideally, both types of audit should be combined and done regularly. Audit objectives are the following:

  • investigation and estimation of the current security ratio of the company's information systems;
  • identification of vulnerabilities, ‘bottlenecks’, at-risk resources, potential cyber threats;
  • potential losses estimation in case of cyber threats are realized, and the cost of cyber-attacks consequences;
  • identification priorities for the implementation of measures to protect systems and information;
  • risks minimization and evaluation of the profitability of cybersecurity measures.


Based on the audit data, you can build a forecast of the info security system development, draw up a plan of systematic measures, and plan an economically sound budget. Although total protection against cyber threats is impossible in principle, regular and professionally executed cybersecurity audits give the company greater security than unsystematic, randomly chosen infosec measures. And besides, a competent audit is beneficial for corporate finance, because it allows you to achieve the complete return on budget investments in the creation and maintenance of the cybersecurity system of an enterprise.


It is true that no audit can give a 100% accurate result – always can be ‘white spots’ which experts have missed. And in this vein, a Bug Bounty Program (aka Vulnerability Reward Program) has an outstanding reputation. Some leading web sites, including are Google, Reddit, Facebook, F-Secure and others, have implemented this program. Its essential is rewarding users who find out bugs or vulnerabilities of web sites, apps, or software. Vulnerability Reward Program helps developers to debug, fix software vulnerabilities. As a result, users get a more safe and useful product. Sure, it is crucial that bona-fide users detect these bugs before hackers use them. In terms of cybersecurity strategy, this practice is very progressive and good.

SECURED BUSINESS IS SUCCESSFUL BUSINESS

Information security is the sphere where greediness costs much more. We can draw an analogy with medicine again – if you cut corners on your health check-up, you have to be ready go to  expense on treatment much more than you could do it on disease prevention. So, if infosec questions are not on the agenda in the company, it will lead someday to a very nasty surprise.   

According to Kaspersky Lab, in 2018, TOP-5 most serious impact of cyberattacks to corporate networks includes the following:

  • downgraded service or product quality;
  • damage to employees’ health or even their death;
  • loss of customers trust;
  • company reputation loss or brand damage;
  • confidential information loss.


While you prepare a comprehensive cybersecurity strategy, you should pay attention to BYOD (Bring Your Own Device) conception that has changed an approach to corporate information security drastically during the last 10-15 years. The fact that employees use their own laptops, netbooks, smart devices, storage devices, and their personal Internet accounts for business purposes must be taken into account when conducting an information security audit and implementing information protection measures.



Note that a universal cybersecurity strategy does not exist – each of businesses has its own environment, technology specific, market position. That’s why a key task for infosec experts and top managers is the building the most efficient informational security strategy.  


Widely spread the following hardware and software protection measures:

  • EPP (Endpoint Protection Platform), a complex protection system for defending endpoints on software, hardware, and network levels; it is a platform solution effective against known cyber threats;
  • EDR (Endpoint Detection and Response), a processes monitoring system that aimed to find out suspicious activities inside of the corporate information network. EDR allows to detect a cyberattack on early stages and to prevent it in real time; block a suspicious process, and send an incident notification to infosec experts;
  • DLP (Data Loss Prevention), technology, and software and hardware solutions for prevention of data leaks due to employees. Provides permanent monitoring of endpoints processes – new software installation, ports connections, files downloading, sending data outside the corporate information environment, and users’ accounts privilege levels upgrade detecting.   


As a rule, cybersecurity functionality makes information system more expensive and more complicated. For the system protection, especially including the algorithms AI, Deep Learning, Big Data, to work in real time, it needs powerful cluster data center resources. The deployment and maintenance of such infrastructures often is non-core and very costly for companies, so many of them make a risky choice, rejecting integrated cybersecurity or reducing it to the minimum functionality. It is clear that this is not good for business.


At the same time, there is an excellent opportunity to significantly reduce the cost of equipment, software, and specialized staff training – to transfer critical data or even the entire IT infrastructure to a cloud, for example, hosted in Germany. In a redundant, fault-tolerant cloud infrastructure, where hardware-based data encryption is provided, and Backup-as-a-Service is available to use, your information values will be protected. It is a competent and very reliable solution.


But comprehensive and systematic work on corporate cybersecurity ensuring should continue unabated at all company levels – management, human resources, organizational structure, technologies – with an eye on the specifics of the business. For some, it is essential to ensure the protection of web applications, for others – to focus on protecting workstations or databases. It all depends on what type of cyber threats are typical for a particular enterprise, geographical location, industry, scale of business. Booz Allen Hamilton consulting company made a forecast of the main vectors of cyber attacks on companies and enterprises in 2019, which will help you to find bearings and make the right decision on your business cybersecurity strategy.






Author: Alisa Kandeyeva

Share this: