Collin Greenland | Preparing for cyber attacks
This May and June have seen unprecedented levels of cyber attacks internationally that are now forcing security experts, and indeed all of us, to strengthen our preparatory and preventative efforts of our computer systems.
Friday, May 12 saw what has been described as the biggest ransomware cyber-attack in history, indiscriminately hitting more than 200,000 victims in more than 150 countries, striking banks, hospitals, and government agencies.
Even before most of these victims could completely recover, Tuesday, June 27 saw a global outbreak of a file-scrambling software labelled by some as 'Petrwrap', targeting Microsoft Windows, and adversely affecting the operations of maritime locations, supermarkets, advertising agencies and law firms.
Obviously, these global outbreaks represent only a few of the many types of cyber-attacks that plague us these days. In particular, the more common kinds that include other types of malware, which refers to various forms of harmful software, such as viruses and ransomware.
These attacks underscore the need to be aware of, and to consequently try to prevent/mitigate these types of assaults, and the best way to do so is to practise effective vulnerabilities management.
Effective vulnerabilities management necessitates enlightened cooperation and coordination between the board of directors, executive management and internal audit. Accordingly, all new or updated installations, such as new websites, must involve the design of a process to detect, access, and mitigate vulnerabilities continually by integrating these tasks into the organisation's overall IT framework.
The issues surrounding vulnerabilities management are not all technical in nature. In fact, many of the greatest challenges will lie with motivating individuals to accept the need for security consciousness and the relevant concerns raised by cyber-security experts, auditors and other security-conscious consultants.
Website contractors should be asked to provide documented and contractual assurances of the type, nature and extent of the security measures accompanying their installation/maintenance operations.
These assurances, for example, should include assurances in the identification and validation of possible risks, the appropriate assessment and prioritisation methods, the relevant remediation measures, and the corresponding maintenance and improvement actions suggested.
Also, it may be helpful to ask questions, and secure the relevant answers from the contractors, on risk considerations such as:
- Bugs or misconfiguration problems;
- Browser-side risks;
- Interception of network data sent from browser to server or vice versa via network eavesdropping.
Website contractors and IT practitioners should be asked to provide details of any techniques utilised, in particular, in any penetration tests conducted to determine the feasibility of any attack and the amount of business impact of any such successful exploits, if discovered. A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user, sometimes known as Black Hat Hacker or Cracker.
The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
Organisations should seek to achieve a level of cyber-resiliency framework that permeates the governance process through their enterprise risk management process, overall security strategy, organisational policies and procedures, communication and awareness strategies, and use of standard frameworks and maturity level assessment.
Incident Response Plan
Organisations should establish sufficient incident-response plans that think about who in the organisation will get together and deal with the implications of the attack. This group will decide which components to escalate. In so doing companies should not hesitate to hire an outside cyber security forensics team to help mitigate the problem. It is much more cost effective to do so before, than in the middle of a crisis event.
The insurance industry is concerned about improving the risk profile for its clients, so it is in their best interest to make sure that not only are all cyber assets adequately insured, but that clients have an incident response plan.
Professional insurers will assist clients to determine how much insurance coverage is needed for cyber assets, and can provide templates, employee awareness training, regulatory preparedness, and other related compliance readiness.
Law enforcement personnel in the Fraud Squad and FID, and other public sector agencies with cybercrimes units, are good first-response/-resource sources and contacts to have in our efforts at practising effective cyber-security.
If the months of May and June are indications of things to come, preparing ourselves for cyber-crimes may not only be enlightened and judicious strategies, but more increasingly, obligatory for survival in today's complex cyber world.