The increasing sophistication of malware attacks on any commercial site or personal computer indicates a corresponding increase in the scale and sophistication of the preventative and recovery measures needed.
A large organisation might keep its cyber security function in-house and develop its own strategies. Smaller organisations are increasingly turning to Internet Security Services to assist them with setting up and maintaining their cyber defences. In all cases a firewall between internal systems and the outside world is an essential first component of any cyber security setup.
Cyber-strategy on a home computer is not rocket science. The are many free and paid-for applications that can be bought at the local computer shop or online. By and large they are sufficient, provided, and this is a big provided, they are kept up to date. Installing malware protection software but not updating the anti-malware program and signatures is like building the castle walls, but leaving the gates open and unguarded.
For some time, the focus in corporate cyber-security has been in defending against an attack once it has been recognised. The new focus is proactive, to have continuous testing for areas of vulnerability, and continual monitoring for unusual network traffic that might signal an attack. This is where thinking like a cyber-criminal comes in.
The first thing to realise is that there is the traditional general malware background noise, not specifically directed against individual organisations, just part of the IT landscape. The cyber security environment must cater for email security, detection and management of threats from unsafe websites and any other general threats as part of the overall cyber security strategy.
Direct assaults are a different ballgame altogether.
It’s often said that the best way to secure your home is to think like a burglar. In short, how you would break into your home if you were locked out without keys. In this case, how does a cyber-criminal think?
Direct attacks on an organisation are usually planned attacks to steal something specific, usually money, but not always. Industrial espionage, ID theft of employee data and stealing documents, both email correspondence and internal reports and memoranda are increasingly common.
They choose their target.
They assess the reward against the effort required and likelihood of success.
You need to do the same. Consider the data you have that could be of value to others. Assess how likely are you to have a determined attempt to steal that data. Secure it.
They probe for weakness and vulnerabilities.
Networks are often in a state of change, with new and upgraded features and functions added, and support for new devices enabled. This can create cracks in the security environment and sometimes incompatibilities between existing and new functions can open opportunities to hack into the network. The Internet underground also documents and collates network vulnerabilities.
Implementing WiFi is particularly appealing to hackers because of the ease of connectivity and the range of devices like tablets and smartphones that can now be used to join a network.
You should also check for internal vulnerabilities. Many attacks begin with users. Try sending out a fake phising email to see how many employees respond. Users might introduce malware inadvertently or deliberately into the network using a DVD or flash drive. They might try to steal data using an external disk drive. Disable their DVD and USB ports to stop them.
You can then add your risk tolerance to your risk profile. What are the critical risks that will stop you dead in the water, and what can you cope with. Bear in mind it may be more expensive to prevent some risks than clean up afterwards.
Make sure that the full range of protection is enabled on your firewall even at the expense of lower performance.
In some cases this may be multi-stage. For example, the first step is to collect a list of employee email addresses that will be used later to pose as employees to break in via an email vulnerability.
The astute CIO, thinking as a cyber-criminal can stage false exploits to test defences, identify new vulnerabilities and the software and operational processes needed to counter them.
To summarise then, thinking like a cyber-criminal is a very good place to start when preparing a cyber security policy:
- Identify your risk profile, identify areas of high value and hence danger of theft, i.e. your risk exposure;
- What risks must you prevent, and the risks you can allow to happen and clean up afterwards.
- How prepared are you currently and what can you do immediately to improve protection?
- Create a cyber security strategy to prevent, detect and deal with threats.
- Test it, update it, review it.
- Repeat regularly.
Cyber security is a dynamic environment. New threats appear daily. The mindset set of being a cyber-criminal is a permanent one that continually reviews the threat landscape and reviews and revises the cyber-security profile and policies. Carry out a similar exercise for a recovery policy.