Cyber attacks are not a new phenomenon. Malicious hacking attacks on information systems over the Internet have been taking place for many years. The rebranding of these attacks using the word ‘cyber’ has conveniently grouped the various attack types together and brought them to mainstream attention. So what actually is a cyber attack?.
One of the best definitions I have seen is from technophedia which states:
‘A cyber attack is deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.’
As most organisations rely on Information Technology (computers, servers, network equipment etc.) and information (personal data on staff, financial information, operational information, commercially sensitive information, data on customers etc.) the business impact of a cyber attack could include reputational damage, loss of intellectual property and fines resulting from breach of the Data Protection Act. Every organisation is a potential victim of cyber attack.
‘Common Cyber Attacks: Reducing The Impact’ has recently been produced by CESG (the Information Security Arm of GCHQ) with CERT-UK, and is aimed at all organisations who are vulnerable to attack from the Internet. This informative paper is aimed at CEOs, boards, business owners and managers and helps them to understand what a common cyber attack looks like and what they can do to defend against it.
The paper covers the following key areas:
- the threat landscape – the types of attackers, their motivations and their technical capabilities
- vulnerabilities – what are they, and how are they exploited?
- cyber attacks, stages and patterns – what is the ‘typical’ structure of a cyber attack?
- reducing the impact of an attack – what controls are needed to reduce the impact of common cyber attacks?
- case studies – real world examples that demonstrate how cyber attacks have caused financial and reputational damage to major UK businesses
The threat landscape looks at who could potentially be attacking you and lists the following threat actors:
- Cyber criminals interested in making money through fraud or from the sale of valuable information.
- Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
- Hackers who find interfering with computer systems an enjoyable challenge.
- Hacktivists who wish to attack companies for political or ideological motives.
- Employees, or those who have legitimate access, either by accidental or deliberate misuse.
There could be various reasons why the above may seek to attack your information systems ranging from political ideology to personal financial gain. It is difficult for organisations to accurately assess the motivation and capability of the attackers but there are relatively simple steps that can be taken to make it harder for attacks to be successful by identifying and reducing your vulnerabilities. The paper highlights three common vulnerabilities:
- Flaws – unintended functionality in systems as a result of poor design which could be exploited by an attacker to breach a system.
- User error – users making mistakes, selecting easy to guess passwords, using laptops or mobile devices carelessly where information they enter can be seen by others etc. Even experienced system administrators can make mistakes and misconfigure equipment or fail to fix a security flaw.
The paper describes in some detail the stages of a cyber attack which it summarises into the following four stages:
- Survey – investigating and analysing available information about the target in order to identify potential vulnerabilities
- Delivery – getting to the point in a system where a vulnerability can be exploited
- Breach – exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access
- Affect – carrying out activities within a system that achieve the attacker’s goal
Many years ago you had to be a highly skilled computer expert to carry out cyber attacks but these days, attack tools can be easily found on the Internet and used by anyone with a basic understanding of computing. Most cyber attackers start by using simple scanners that identify open ports, vulnerable operating systems/applications and makes and models of network equipment which helps to build a picture of the target.
Social engineering techniques are also widely deployed by attackers to gain information about systems, the data you hold and passwords.
So what can you do to stop or reduce cyber attacks on you organisation? The paper states that ‘preventing, detecting or disrupting the attack at the earliest opportunity limits the business impact and the potential for reputational damage.’ Making your network a difficult target for attackers will reduce the motivation of an attacker to attempt to breach your security – unless they are highly motivated and have specifically selected your organisation as a target.
As most cyber attacks exploit simple mistakes made by organisations, implementing Cyber Essentials can provide a cost effective mechanism to reduce your organisation’s exposure to the more common types of cyber attack.
Cyber Essentials covers:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
If the threat against your organisation is greater, then the following additional controls from CESG’s 10 steps to Cyber Security can be implemented to reduce the impact:
- security monitoring – to identify any unexpected or suspicious activity
- user training education and awareness – staff should understand their role in keeping your organisation secure and report any unusual activity
- security incident management – put plans in place to deal with an attack as an effective response will reduce the impact on your business
One of the most effective ways to protect against cyber attacks is to implement a governance regime for identifying and managing risks to your information systems. To be effective, this has to be led by senior management and embedded into the organisation so that it becomes part of normal business process. In effect, it changes the culture of the organisation to one that is more security aware.
The ISO 27001:2013 standard provides a robust framework for building in Information Security Management System (ISMS) for an organisation which includes risk assessment and management with senior management involvement. It requires more effort and commitment than Cyber Essentials but provides greater value.
Going back to the CESG paper, it states in closing that ‘doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defences to ensure that your name is not added to the growing list of victims.’