0121 222 5630

Email Aristi Ltd Follow Aristi Ltd on Facebook Follow Aristi Ltd on Twitter Follow Aristi Ltd on LinkedIn Follow Aristi Ltd on Google Plus

Insights and Updates.
Made For You.

You are here:Home»Blog»Is your organisation safe from Cyber Attack?
Posted on Tuesday, 13 September 2016

Is your organisation safe from Cyber Attack?.

Written by 

Is your organisation safe from Cyber Attack?

Cyber attacks are not a new phenomenon. Malicious hacking attacks on information systems over the Internet have been taking place for many years. The rebranding of these attacks using the word ‘cyber’ has conveniently grouped the various attack types together and brought them to mainstream attention.

So what actually is a cyber attack? Technophedia defines it as:

‘A cyber attack is deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.’

As most organisations rely on Information Technology (computers, servers, network equipment etc.) and information (personal data on staff, financial information, operational information, commercially sensitive information, data on customers etc.) the business impact of a cyber attack could include reputational damage, loss of intellectual property and fines resulting from breach of the Data Protection Act. Every organisation is a potential victim of cyber attack.

‘Common Cyber Attacks: Reducing The Impact’ has recently been produced by CESG (the Information Security Arm of GCHQ) with CERT-UK, and is aimed at all organisations who are vulnerable to attack from the Internet. This informative paper is aimed at CEOs, boards, business owners and managers and helps them to understand what a common cyber attack looks like and what they can do to defend against it.

The paper covers the following key areas:

  • the threat landscape - the types of attackers, their motivations and their technical capabilities
  • vulnerabilities - what are they, and how are they exploited?
  • cyber attacks, stages and patterns - what is the ‘typical’ structure of a cyber attack?
  • reducing the impact of an attack - what controls are needed to reduce the impact of common cyber attacks?
  • case studies - real world examples that demonstrate how cyber attacks have caused financial and reputational damage to major UK businesses

The threat landscape looks at who could potentially be attacking you and lists the following threat actors:

  • Cyber criminals interested in making money through fraud or from the sale of valuable information.
  • Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
  • Hackers who find interfering with computer systems an enjoyable challenge.
  • Hacktivists who wish to attack companies for political or ideological motives.
  • Employees, or those who have legitimate access, either by accidental or deliberate misuse.

There could be various reasons why the above may seek to attack your information systems ranging from political ideology to personal financial gain. It is difficult for organisations to accurately assess the motivation and capability of the attackers but there are relatively simple steps that can be taken to make it harder for attacks to be successful by identifying and reducing your vulnerabilities. The paper highlights three common vulnerabilities:

  • Flaws – unintended functionality in systems as a result of poor design which could be exploited by an attacker to breach a system.
  • Features - intended functionality which can be misused by an attacker to breach a system e.g. JavaScript and macros in Microsoft Office products.
  • User error – users making mistakes, selecting easy to guess passwords, using laptops or mobile devices carelessly where information they enter can be seen by others etc. Even experienced system administrators can make mistakes and misconfigure equipment or fail to fix a security flaw.

The paper describes in some detail the stages of a cyber attack which it summarises into the following four stages:

  • Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities
  • Delivery - getting to the point in a system where a vulnerability can be exploited
  • Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
  • Affect - carrying out activities within a system that achieve the attacker’s goal

Not too long ago you had to be a highly skilled computer expert to carry out cyber attacks but these days, attack tools can be easily found on the Internet and used by anyone with a basic understanding of computing. Most cyber attackers start by using simple scanners that identify open ports, vulnerable operating systems/applications and makes and models of network equipment which helps to build a picture of the target.

Social engineering techniques are also widely deployed by attackers to gain information about systems, the data you hold and passwords.

So what can you do to stop or reduce cyber attacks on you organisation? The paper states that ‘preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage.’ Making your network a difficult target for attackers will reduce the motivation of an attacker to attempt to breach your security – unless they are highly motivated and have specifically selected your organisation as a target.

As most cyber attacks exploit simple mistakes made by organisations, implementing Cyber Essentials can provide a cost effective mechanism to reduce your organisation’s exposure to the more common types of cyber attack.

Cyber Essentials covers:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • Access control
  • Malware protection
  • Patch management

If the threat against your organisation is greater, then the following additional controls from CESG’s 10 steps to Cyber Security can be implemented to reduce the impact:

  • security monitoring - to identify any unexpected or suspicious activity
  • user training education and awareness - staff should understand their role in keeping your organisation secure and report any unusual activity
  • security incident management - put plans in place to deal with an attack as an effective response will reduce the impact on your business

One of the most effective ways to protect against cyber attacks is to implement a governance regime for identifying and managing risks to your information systems. To be effective, this has to be led by senior management and embedded into the organisation so that it becomes part of normal business process. In effect, it changes the culture of the organisation to one that is more security aware.

Most senior managers believe that cyber security is an IT thing. It’s not – the business owns the information assets (personal data, commercial data etc.) and are therefore responsible for making sure these assets are protected. It plays an important role but the business needs to be involved in determining the security requirements and ensuring that security is ‘good enough’ and proportionate to the risk.

The ISO/IEC 27001:2013 standard provides a robust framework for building in Information Security Management System (ISMS) for an organisation which includes risk assessment and management with senior management involvement. It requires more effort and commitment than Cyber Essentials but provides greater value as it covers all areas of the business.

Going back to the CESG paper, it states in closing that ‘doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defences to ensure that your name is not added to the growing list of victims.’

For more information on how you can protect your organisation from cyber attacks please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it.

Harj Singh

Harj Singh MBA CLAS CISSP MBCS CITP is a Principle CLAS Consultant at Aristi. Harj has over 20 years of experience in the IT and Security industry gained through technical and managerial roles and has helped clients in government, emergency services and the private sector to develop and implement security strategies and solutions that add value to their business.

CONNECT
WITH US

Keep up-to-date with insights and info on all areas of Information Assurance, Information Security, Penetration Testing & Data Sharing from the award-winning consultants Aristi.

Latest Tweets

Are you ready for #GDPR? Aristi can help you with your readiness assessment. Find out more at: https://t.co/fUPHOSLn4U #cybersecurity #EU
Are you ready for GDPR? Find out more: https://t.co/O2BrvnkCJK https://t.co/OcvkdqAXIO

Subscribe to our Newsletter

Latest Blog Posts

  • Are you ready for GDPR?
    Are you ready for GDPR? The General Data Protection Regulation (GDPR) is a new legal framework that applies in the…
    Written on Monday, 13 March 2017 10:07
  • Is your organisation safe from Cyber Attack?
    Is your organisation safe from Cyber Attack? Cyber attacks are not a new phenomenon. Malicious hacking attacks on information systems…
    Written on Tuesday, 13 September 2016 15:50
  • 2016 Cyber Security Briefing
     To reserve your place at the Cyber Security Briefing:CLICK HERE To reserve your place at the Cyber Security Briefing: CLICK…
    Written on Monday, 21 March 2016 14:22