Cyber Security: A Never Ending Journey

By Amitava Mukherjee, Information Security Manger, Siemens

'Internet of Things (IoT)' is the future

Projections for the impact of IoT on the Internet and economy are impressive, with some anticipating as many as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025.

In such a world of interconnectivity, one can imagine the volume and quantum of information flowing around and how vulnerable will be the systems due to unauthorized access posing challenge on the integrity of information, its misuse, bringing down mission critical services e.g. power grids, transport systems, life saving medical information services, infrastructure facilities, and it goes on, unless such IT landscape is adequately protected.

While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organizations of all sizes, these new technologies have also brought unprecedented threats with them. Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses. Cyber security will only become more important as more devices, ‘the internet of things’, become connected to the internet.

The cyber risks can be broadly divided into three distinct areas:

• Cyber crime: Conducted by individuals working alone, or in organized groups, with the intent of extracting money, data or causing disruption.

• Cyber war: A nation, state conducting sabotage and espionage against another nation in order to cause disruption or to extract data.

• Cyber terror: An organization, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.

Organizations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure, and very high-profile institutions. It is unlikely that most organizations will face the threat of cyber war or cyber terror.

Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous means of attack available, which broadly fall under the umbrella term of malware (malicious software). These include:

• Viruses

Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.

Technique: A small piece of software program that can replicate itself and spread from one computer to another by attaching itself to another computer file.

• Worms

Aim: By exploiting weaknesses in operating systems, worms seek to damage networks and often deliver payloads which allow remote control of the infected computer.

Technique: Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.

• Spyware/Adware

Aim: To take control of your computer and/or to collect personal information without your knowledge.

Technique: By opening attachments, clicking links or downloading infected software, spyware/adware is installed on your computer.

• Trojans

Aim: To create a ‘backdoor’ on your computer by which information can be stolen and damage caused.

Technique: A software program appears to perform one function (for example, virus removal) but actually acts as something else.

Attack vectors

There are also a number of attack vectors available to cyber criminals which allows them to infect computers with malware or to harvest stolen data:

• Phishing

An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites.

• Pharming

An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised.

• Drive-by

Opportunistic attacks against specific weaknesses within a system.

• MITM

‘Man in the middle attack’ where a middleman impersonates each endpoint and is thus able to manipulate both victims.

• Social engineering

Exploiting the weakness of the individual by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.

Cyber security for organizations

An effective cyber security posture should be proportional to the risks faced by each organization, and should be based on the results of a risk assessment. It is more commonly termed as risk-based approach.

A simple thumb rule to this risk-based approach is: Never attempt to protect all information you have. Classify and identify critical information, perform protection requirement analysis, define protection concepts, implement the protection concepts and review & monitor them periodically with the changing cyber risk environment applicable to the sector your organization belongs to.

All organizations face one of two types of cyber attack:

1. They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).

2. The attack will be opportunistic, because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity, unless it has been specifically tested and secured, will have exploitable vulnerabilities.

Cyber Security has become one of the most critical topics and contenders for discussion & decision making at the Board level across corporate sectors, government departments and institutions all over the world. Cyber security measures can never be considered as impenetrable, permanently remediated and closed. It’s a never ending journey on which the IT & InfoSec Industry has embarked up on to come out as the winner over the wrong doers. 

Current Issue