Many of you will have seen reports of company attackers, who obtained customer names, financial information, addresses and telephone numbers from a large on-line dating site called Ashley Madison. Also in the same month and in Europe a large mobile telephone provider “shared” 2.5 million customer records without their knowledge due to attacks on their systems.
A company lost commercially valuable new research information on the latest types of battery for use in cars, showing long life and fast recharge capacities. They reported the matter to the police. Whereas some companies are making computer security a priority, others are being dragged into realising they must do something before it is too late.
This review will lift the curtain a little on the latest developments, to give you reassurance, but first so as to really make the strength of this risk real, let us step back in time just a few years.
Nortel Networks Corporation, formerly known as Northern Telecom Limited and sometimes known simply as Nortel, was a multinational telecommunications and data networking equipment manufacturer in Canada, founded in 1895. At its height, Nortel accounted for more than a third of the total valuation of all the companies listed on the Toronto Stock Exchange (TSX), employing 94,500 worldwide.
On January 14, 2009, Nortel filed for protection from its creditors in the United States, Canada, and the United Kingdom, in order to restructure its debt and financial obligations. In June 2009, the company announced it would cease operations and sell off all of its business units.
Rumours still abound that say one of their senior staff had his emails regularly hacked, read and much of the latest research information and plans went daily to a competitive environment over a period of 12 months. It is widely believed this led to the collapse and closure of the company, all due to just one email account that was being “watched” outside the company.
Although many try to make IT security a jumble of complicated jargon, the subject is easier to understand if broken down into two categories.
1. Human controls – i.e. how you control your staff using your systems to prevent human error. We heard of one company where staff had passwords stuck on notepaper on the computer screens for all to read.
2. Systems controls – where you fight back with technology to protect your files, just like locking your house and with the alarms sounding if someone tries to get in. You lock out the hacker with technology solutions working in the network with alerts and locks. That said, you should not forget that in the event of a security breach you must have “tested” business security plans so you can continue trading tomorrow even if you cannot access your premises (denial of access) or cannot access your computers (lockout)
So what can be done?
As we have mentioned, locking out the criminal by protecting your network is a good start. But the only 100% percent method is to place a computer in a locked room, without Internet and without an external disc drive or reader.
So taking that as the model you can see if you put sensors on your network and if people TRY to get in, then technology should be available to ring alarm bells when an attack starts or if the remote “user” seems to be working in a different way from normal, alarms ring.
Car systems are already doing this, monitoring a different driving style. You will have read of systems called firewalls that are designed to stop someone entering your system. But let us assume that the hacker is already in and on your network or using your online application.
Taking the car example, new IT systems are being installed that watch to see if the pattern of usage is different from normal. One example is BioCatch. This spots changes in user behaviour such as the speed that is seen on the keyboard or with the mouse and more. This may throw up false alarms but it is an innovative idea that logically should help. In their words “It collects and analyses more than 500 behavioural, cognitive and physiological parameters to generate a unique user profile”.
They have also introduced some new terms: Man-in-the-Browser (MitB) Malware and Remote Access (RAT) attacks. (Malware is an abbreviation of malicious software, malware is software designed specifically to damage or disrupt a system).
Other new approaches to provide protection include Bionym that provide wearable devices to authenticate a user, to prove it is really you. Another supplier is Nymi who provide a wristband that detects heart readings of the wearer, to prove it is really you.
So what else about the human element?
We often advise companies to revise their staff employee handbook and terms and conditions of employment. For example no member of staff is allowed to bring in WiFi equipment without written consent, no company access at home unless via a virtual private network, no dangerous storage procedures when recording their client passwords – i.e. do not stick them on the screen. In a recent company visit, the company had invested heavily in IT security before we were invited in and we deliberately visited at lunch time. A member of staff invited us in and we entered via an open fire exit and saw a number of passwords clearly visible on desks.
Any amount of IT penetration testing (controlled electronic attacks on firewalls) cannot prevent human issues. In the past it has been widely reported that over 80 percent of computer attacks have been due to “in-company” involvement. For example disgruntled ex-staff, historical passwords not deleted, easily guessed passwords, e.g. “PASSWORD”
Data breaches and cyber security are critical subjects and you cannot ignore these issues. We have via our client work the best of both worlds in terms of seeing many operations, hearing of attacks as well as observing security installs designed by our teams and or external contractors, to close the trap doors to protect our clients.
Financial advisers are perhaps the most at risk together with start ups with their commercially innovative and sensitive information. But if you have any client lists this is vital information for competitors and remember this – whereas you hear about a company losing information, there are also more subtle attacks where for example your standard terms and conditions may be subtly changed. In one company the clause was changed making payment due within 3 years. Nothing else was changed. Then try and take legal action for non payment.
When did you last read your own terms and conditions of trading as issued to customers?
You will or should be regularly testing your systems with antivirus software and you should have a unique and complex password for every application. But sometimes you may respond to what appears a correct email and it is in fact a method to extract your passwords and user account information.
You may have, we hope, grasped the theme of this document that says loudly watch out and protect your company assets. There are thousands of attacks every minute so it is not a matter of if but when it happens to you.
We conclude by providing just a very short list of terms to help broaden your understanding.
As mentioned earlier, this is an abbreviation for malicious software designed to damage a system.
Malicious software to damage a mobile device such as a Smartphone.
Citadel Trojan, designed to steal personal information, including banking and financial information.
An abbreviation for IP Security, a set of protocols to support secure exchange of information.
A programme that replicates itself over a computer network and usually performs malicious actions.
Malware worms that spread via instant messaging, USB drives, websites and social media.
A system designed to prevent unauthorised access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both.
Computer code that is loaded onto your computer without your knowledge and runs with malicious intent.
A Web server that supports any of the major security protocols, like SSL that encrypt and decrypt messages to protect them against third party access.
Logic bomb or Time bomb
Malicious, destructive code, added to an application or computer operating system that rests dormant until a pre-determined period of time or when an event occurs that triggers the code into action.