0121 222 5630

Email Aristi Ltd Follow Aristi Ltd on Facebook Follow Aristi Ltd on Twitter Follow Aristi Ltd on LinkedIn

Insights and Updates.
Made for you.

You are here:
Posted on Wednesday, 21 January 2015

Is your organisation safe from Cyber Attack?.

Written by

Cyber attacks are not a new phenomenon. Malicious hacking attacks on information systems over the Internet have been taking place for many years. The rebranding of these attacks using the word ‘cyber’ has conveniently grouped the various attack types together and brought them to mainstream attention. So what actually is a cyber attack?.

One of the best definitions I have seen is from technophedia which states:

‘A cyber attack is deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.’

As most organisations rely on Information Technology (computers, servers, network equipment etc.) and information (personal data on staff, financial information, operational information, commercially sensitive information, data on customers etc.) the business impact of a cyber attack could include reputational damage, loss of intellectual property and fines resulting from breach of the Data Protection Act. Every organisation is a potential victim of cyber attack.

‘Common Cyber Attacks: Reducing The Impact’ has recently been produced by CESG (the Information Security Arm of GCHQ) with CERT-UK, and is aimed at all organisations who are vulnerable to attack from the Internet. This informative paper is aimed at CEOs, boards, business owners and managers and helps them to understand what a common cyber attack looks like and what they can do to defend against it.

The paper covers the following key areas:

  • the threat landscape – the types of attackers, their motivations and their technical capabilities
  • vulnerabilities – what are they, and how are they exploited?
  • cyber attacks, stages and patterns – what is the ‘typical’ structure of a cyber attack?
  • reducing the impact of an attack – what controls are needed to reduce the impact of common cyber attacks?
  • case studies – real world examples that demonstrate how cyber attacks have caused financial and reputational damage to major UK businesses

The threat landscape looks at who could potentially be attacking you and lists the following threat actors:

  • Cyber criminals interested in making money through fraud or from the sale of valuable information.
  • Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
  • Hackers who find interfering with computer systems an enjoyable challenge.
  • Hacktivists who wish to attack companies for political or ideological motives.
  • Employees, or those who have legitimate access, either by accidental or deliberate misuse.

There could be various reasons why the above may seek to attack your information systems ranging from political ideology to personal financial gain. It is difficult for organisations to accurately assess the motivation and capability of the attackers but there are relatively simple steps that can be taken to make it harder for attacks to be successful by identifying and reducing your vulnerabilities. The paper highlights three common vulnerabilities:

  • Flaws – unintended functionality in systems as a result of poor design which could be exploited by an attacker to breach a system.
  • Features – intended functionality which can be misused by an attacker to breach a system e.g. JavaScript and macros in Microsoft Office products.
  • User error – users making mistakes, selecting easy to guess passwords, using laptops or mobile devices carelessly where information they enter can be seen by others etc. Even experienced system administrators can make mistakes and misconfigure equipment or fail to fix a security flaw.

The paper describes in some detail the stages of a cyber attack which it summarises into the following four stages:

  • Survey – investigating and analysing available information about the target in order to identify potential vulnerabilities
  • Delivery – getting to the point in a system where a vulnerability can be exploited
  • Breach – exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
  • Affect – carrying out activities within a system that achieve the attacker’s goal

Many years ago you had to be a highly skilled computer expert to carry out cyber attacks but these days, attack tools can be easily found on the Internet and used by anyone with a basic understanding of computing. Most cyber attackers start by using simple scanners that identify open ports, vulnerable operating systems/applications and makes and models of network equipment which helps to build a picture of the target.

Social engineering techniques are also widely deployed by attackers to gain information about systems, the data you hold and passwords.

So what can you do to stop or reduce cyber attacks on you organisation? The paper states that ‘preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage.’ Making your network a difficult target for attackers will reduce the motivation of an attacker to attempt to breach your security – unless they are highly motivated and have specifically selected your organisation as a target.

As most cyber attacks exploit simple mistakes made by organisations, implementing Cyber Essentials can provide a cost effective mechanism to reduce your organisation’s exposure to the more common types of cyber attack.

Cyber Essentials covers:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • Access control
  • Malware protection
  • Patch management

If the threat against your organisation is greater, then the following additional controls from CESG’s 10 steps to Cyber Security can be implemented to reduce the impact:

  • security monitoring – to identify any unexpected or suspicious activity
  • user training education and awareness – staff should understand their role in keeping your organisation secure and report any unusual activity
  • security incident management – put plans in place to deal with an attack as an effective response will reduce the impact on your business

One of the most effective ways to protect against cyber attacks is to implement a governance regime for identifying and managing risks to your information systems. To be effective, this has to be led by senior management and embedded into the organisation so that it becomes part of normal business process. In effect, it changes the culture of the organisation to one that is more security aware.

The ISO 27001:2013 standard provides a robust framework for building in Information Security Management System (ISMS) for an organisation which includes risk assessment and management with senior management involvement. It requires more effort and commitment than Cyber Essentials but provides greater value.

Going back to the CESG paper, it states in closing that ‘doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defences to ensure that your name is not added to the growing list of victims.’

Harj Singh is the founder and CEO of Aristi and has over 25 years of experience in the IT and Security industry, gained through technical and managerial roles. Harj has has helped clients in the public and private sectors to develop and implement security strategies and solutions that add value to their business.

GET
IN TOUCH

Please contact Aristi to discuss your requirements. Filling in the form below is the quickest way to get in touch with the relevant person at Aristi.

CONNECT
WITH US

Keep up-to-date with insights and info on all areas of Information Assurance, Information Security, Penetration Testing & Data Sharing from the award-winning consultants Aristi.

Latest Tweets

If you haven't registered for our cloud security event on 4th July, there are still a few places left. https://t.co/fBrohkOTJL
'Aristi Raiders' ready for battle on the high seas (well, the canals of Birmingham)...https://t.co/tVaWn0zIYZ
Interesting and thought provoking discussion on GDPR at the 'one year on' event today. Organisational culture and h… https://t.co/xQJha9MBML

Subscribe to our Newsletter

Latest Blog Posts

  • Cyber Resilience for Charities

    Share the post “Cyber Resilience for Charities” FacebookLinkedInTwitter A Round Table Event for Charities Charities are increasingly reliant on IT and technology and are falling victim to a range of malicious cyber activity. The recent government Charity Sector Threat Assessment indicates that losing access to this technology, having funds stolen or suffering a data breach through […]

    Written on Thursday, 07 March 2019
  • 10 years of Aristi by its founder, Harj Singh

    What’s in a name? The word Aristi has three meanings – security, excellence and calm. Find out where we started and where we believe cyber security to be headed.

    Written on Thursday, 24 January 2019
  • 500 million customers can’t sleep easy with Marriott data breach

    Share the post “500 million customers can’t sleep easy with Marriott data breach” FacebookLinkedInTwitter The world’s largest hotel chain, Marriott Hotels, announced on Friday (November 30, 2018) that half a billion of its customers’ data had been breached dating as far back as 2014. Marriott owns more than 5,800 properties around the world with 1.1 […]

    Written on Wednesday, 12 December 2018