0121 222 5630

Email Aristi Ltd Follow Aristi Ltd on Facebook Follow Aristi Ltd on Twitter Follow Aristi Ltd on LinkedIn

Insights and Updates.
Made for you.

You are here:
Posted on Wednesday, 21 January 2015

Is your organisation safe from Cyber Attack?.

Written by

Cyber attacks are not a new phenomenon. Malicious hacking attacks on information systems over the Internet have been taking place for many years. The rebranding of these attacks using the word ‘cyber’ has conveniently grouped the various attack types together and brought them to mainstream attention. So what actually is a cyber attack?.

One of the best definitions I have seen is from technophedia which states:

‘A cyber attack is deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.’

As most organisations rely on Information Technology (computers, servers, network equipment etc.) and information (personal data on staff, financial information, operational information, commercially sensitive information, data on customers etc.) the business impact of a cyber attack could include reputational damage, loss of intellectual property and fines resulting from breach of the Data Protection Act. Every organisation is a potential victim of cyber attack.

‘Common Cyber Attacks: Reducing The Impact’ has recently been produced by CESG (the Information Security Arm of GCHQ) with CERT-UK, and is aimed at all organisations who are vulnerable to attack from the Internet. This informative paper is aimed at CEOs, boards, business owners and managers and helps them to understand what a common cyber attack looks like and what they can do to defend against it.

The paper covers the following key areas:

  • the threat landscape – the types of attackers, their motivations and their technical capabilities
  • vulnerabilities – what are they, and how are they exploited?
  • cyber attacks, stages and patterns – what is the ‘typical’ structure of a cyber attack?
  • reducing the impact of an attack – what controls are needed to reduce the impact of common cyber attacks?
  • case studies – real world examples that demonstrate how cyber attacks have caused financial and reputational damage to major UK businesses

The threat landscape looks at who could potentially be attacking you and lists the following threat actors:

  • Cyber criminals interested in making money through fraud or from the sale of valuable information.
  • Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
  • Hackers who find interfering with computer systems an enjoyable challenge.
  • Hacktivists who wish to attack companies for political or ideological motives.
  • Employees, or those who have legitimate access, either by accidental or deliberate misuse.

There could be various reasons why the above may seek to attack your information systems ranging from political ideology to personal financial gain. It is difficult for organisations to accurately assess the motivation and capability of the attackers but there are relatively simple steps that can be taken to make it harder for attacks to be successful by identifying and reducing your vulnerabilities. The paper highlights three common vulnerabilities:

  • Flaws – unintended functionality in systems as a result of poor design which could be exploited by an attacker to breach a system.
  • Features – intended functionality which can be misused by an attacker to breach a system e.g. JavaScript and macros in Microsoft Office products.
  • User error – users making mistakes, selecting easy to guess passwords, using laptops or mobile devices carelessly where information they enter can be seen by others etc. Even experienced system administrators can make mistakes and misconfigure equipment or fail to fix a security flaw.

The paper describes in some detail the stages of a cyber attack which it summarises into the following four stages:

  • Survey – investigating and analysing available information about the target in order to identify potential vulnerabilities
  • Delivery – getting to the point in a system where a vulnerability can be exploited
  • Breach – exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
  • Affect – carrying out activities within a system that achieve the attacker’s goal

Many years ago you had to be a highly skilled computer expert to carry out cyber attacks but these days, attack tools can be easily found on the Internet and used by anyone with a basic understanding of computing. Most cyber attackers start by using simple scanners that identify open ports, vulnerable operating systems/applications and makes and models of network equipment which helps to build a picture of the target.

Social engineering techniques are also widely deployed by attackers to gain information about systems, the data you hold and passwords.

So what can you do to stop or reduce cyber attacks on you organisation? The paper states that ‘preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage.’ Making your network a difficult target for attackers will reduce the motivation of an attacker to attempt to breach your security – unless they are highly motivated and have specifically selected your organisation as a target.

As most cyber attacks exploit simple mistakes made by organisations, implementing Cyber Essentials can provide a cost effective mechanism to reduce your organisation’s exposure to the more common types of cyber attack.

Cyber Essentials covers:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • Access control
  • Malware protection
  • Patch management

If the threat against your organisation is greater, then the following additional controls from CESG’s 10 steps to Cyber Security can be implemented to reduce the impact:

  • security monitoring – to identify any unexpected or suspicious activity
  • user training education and awareness – staff should understand their role in keeping your organisation secure and report any unusual activity
  • security incident management – put plans in place to deal with an attack as an effective response will reduce the impact on your business

One of the most effective ways to protect against cyber attacks is to implement a governance regime for identifying and managing risks to your information systems. To be effective, this has to be led by senior management and embedded into the organisation so that it becomes part of normal business process. In effect, it changes the culture of the organisation to one that is more security aware.

The ISO 27001:2013 standard provides a robust framework for building in Information Security Management System (ISMS) for an organisation which includes risk assessment and management with senior management involvement. It requires more effort and commitment than Cyber Essentials but provides greater value.

Going back to the CESG paper, it states in closing that ‘doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defences to ensure that your name is not added to the growing list of victims.’

Harj Singh is the founder and CEO of Aristi and has over 25 years of experience in the IT and Security industry, gained through technical and managerial roles. Harj has has helped clients in the public and private sectors to develop and implement security strategies and solutions that add value to their business.


Please contact Aristi to discuss your requirements. Filling in the form below is the quickest way to get in touch with the relevant person at Aristi.


    Keep up-to-date with insights and info on all areas of Information Assurance, Information Security, Penetration Testing & Data Sharing from the award-winning consultants Aristi.

    Latest Tweets

    A useful reminder of the data protection obilgations on businesses. Key is to understand the risks and apply approp… https://t.co/9Bhsxk89Jf
    Some useful info from the ICO on home working and data security. https://t.co/yWfOWJNxS4
    COVID-19 update https://t.co/wRDHY7IR6Q

    Subscribe to our Newsletter

    Latest Blog Posts

    • Pulse Secure Vulnerability

      Share the post “Pulse Secure Vulnerability” FacebookTwitterShare… By Dave Buckley On 16th of April 2020 the CISA released an alert covering continued exploitation of pulse secure VPN’s post patching. This is an update to the original alert the CISA published back in January 2020 which advised organisations to immediately patch CVE-2019-11510. Pulse secure released patches […]

      Written on Thursday, 07 May 2020
    • COVID-19 Update

      Share the post “COVID-19 Update” FacebookTwitterShare… Aristi has made preparations to protect our operations from disruptions caused by the Coronavirus (COVID-19) outbreak. Our aim as always is to provide an excellent service to our customers, and we will continue to do so through this uncertain time. We will be monitoring the situation closely and following […]

      Written on Tuesday, 14 April 2020
    • Testing as a Service

      Share the post “Testing as a Service” FacebookTwitterShare… Aristi has developed an innovative new cyber security service to give businesses and public sector organisations reassurance that they are doing all they can to defend against hackers. Many organisations conduct annual IT Health Checks to identify security weaknesses in their IT systems. However, a cyber-attack can […]

      Written on Monday, 24 February 2020