In this present day, when information security can no longer be taken for granted, people and organisations need to understand the importance of having a security mindset at all levels within a business and not just the IT department.
IT alone is not enough
People who work in the IT department are probably aware that many security incidents that occur are not because the computers are faulty, but because the users from the business side of the organisation are using the information systems incorrectly.
Such wrongdoings cannot be prevented with technical safeguards only – what is also needed are clear policies and procedures, training and awareness, legal protection, disciplinary measures, the list goes on.
The conclusion is that technical safeguards are not enough, and that the IT department, although very important in an information security project, cannot tackle information security alone.
It is very important to be able to identify security threats and potential vulnerability in your organisation. Some organisations run penetration testing activities to identify any security threats or vulnerabilities.
This article will help to explain some common vulnerabilities, how you can identify and mitigate them, some best practices for securing your IT systems and how you can protect yourself.
Threats come in different sizes and forms, and mostly with the use of malicious code called malware. Malware is a software application that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system and the most common mode of delivery is via email and suspicious websites.
Types of malware
- Spying applications – software that aims to be unobtrusive and exist for a long time to leak/steal your information.
- Destructive applications – software that can cause damage to information or computer systems by deleting files/disk drives, physical damage to system Bios, etc.
Varieties of malware
- Virus – The classic malware that most people have heard of, a virus can attach itself to other programs and replicate itself as the files are opened or transmitted from machine to machine
- Worm – A program that can actively replicate to other computers in a network, usually by exploiting vulnerabilities in other systems
- Trojan horse – A Trojan horse is, as the name suggests, malicious code pretending to be something else. Frequently found in cracked software downloaded from unauthorised sources.
- Rootkit – Software designed to gain administrator (or “root”) permissions on a computer without being detected. Frequently these programs can cover their tracks making them very hard to detect. Once installed they can be used to access the computer remotely or steal information.
- Spyware – An application that aims to gather information about a person or organization without their knowledge.
- Adware – often installed alongside other applications of dubious reputation, adware will insert unsolicited advertising into a user’s browser.
- Ransomware – one of the most common malware in recent years, this is a software designed to exploit a known Windows vulnerability, and consequently bypassing traditional anti-virus protection and granting the malware full administrative rights over the victim’s computer. From this point, it starts to encrypt all the user’s files and once it’s done, it locks the victim out of their computer and demands a ransom to be paid before the computer is unlocked.
- Polymorphic malware – A particularly advanced kind of malware that changes its own code as it replicates, making it difficult for anti-malware programs to detect the infection.
How to mitigate malware infection
- Install anti-virus software and make sure it is kept fully up to date
- Be extremely cautious about the email attachments you open or the sites you visit. As a rule of thumb you should not open attachments or click on links that are in emails from people you do not know, or even from people you know, but from whom you aren’t expecting an attachment or link. More on this below.
- Always scan removable disk/flash drives with an anti-virus software before you open any files on them.
- Ensure the operating system has all the latest updates and security patches installed.
- Windows firewall should always be turned on and enabled.
This is a non-technical form of attack wherein techniques are used to get the target user to reveal their usernames and passwords, or to run compromised software. There are a lot of tools online that can enable the attacker create a fake (spoof) email, website or even SMS message that looks legitimate.
There are several goals to social engineering:
- Network intrusion
- Industrial Espionage
- Identity theft
- Network disruption
An example of social engineering could be an email from your bank asking you to refresh your login details or, an email from your HR department asking you to update your employee details. Social engineering is use to exploit trust between people and is often a verbal trick or believable lie.
Types of social engineering
- Dumpster diving – The use of various methods to get information about a technology user. In general, dumpster diving involves searching through trash or garbage looking for something useful, e.g. a post-it note with a password on it
- Evil twin – This is a rogue wireless access point that masquerades as a legitimate Wi-Fi access point so that an attacker can gather personal or corporate information without the end-user’s knowledge.
- Phishing, Spear Phishing and Whaling – These three attacks are variants on a theme. A basic phishing attack is very similar to spam and sends an email pretending to be from a legitimate source and directs the victim to a malicious site. Spear phishing is a more directed attack, usually against a specific company or individual. More effort is put into making it appear legitimate, possibly utilising information gleaned from dumpster diving. Whaling is a specific type of phishing directed against important targets and is often highly sophisticated.
- Pharming – The Internet’s address book (Domain Name Service, or DNS) is hijacked either on the victim’s computer or within the network, misdirecting users to fraudulent Web sites without their knowledge or consent.
- Shoulder surfing – attempt to obtain confidential data by looking over the victim’s shoulder. Special care should be taken in public places, e.g. coffee shops, to avoid confidential data being viewed on screen.
- Skimming – An electronic method of capturing a victim’s personal information used by identity thieves. The skimmer is a small device that scans a credit card and stores the information contained in the magnetic strip. Skimming can take place during a legitimate transaction at a business.
- Spam – unsolicited junk email sent indiscriminately in bulk
- Spim – This is spam delivered through instant messaging (IM) instead of through e-mail messaging.
Social engineering countermeasures
- User awareness and training – Put your staff on training courses, taking them through policies and making them aware of what they should and shouldn’t be doing are all key steps.
- Communicating security needs and priority – After they’ve had training and adopt the Security Mindset, everyone will now be thinking with security in mind – “If I’m doing something, what is the process, what is the risk?”
- Having everyone on guard at all times – Put in place dedicated roles for dedicated people who can investigate and update when issues are fixed. So if you get attacked by hackers, you can be confident of the process in place so everyone knows exactly what they need to do.
- Strong corporate policies – Information security policies and procedures define how we secure information appropriately and repeatedly.
These are just some of the threats and security vulnerabilities that you need to be aware of, to ensure that your organisation is secure.
You can also read our guides to securing online products and services with security best practices, why it’s safer to store data in the cloud and securing web communications with SSL and TLS for further advice.
For more information on information security awareness, identifying security Threats and identifying vulnerabilities, download our free guide: “The Security Mindset”.