Temper your web wonder with vigilance

Let us consider why we would even wish to consider connecting to the Internet, and pose another question: do we really need it?
Let us then realise that we live and work in a digital age in which society has become heavily reliant on electronic systems to support both private, and business lives, underpinned by the thing we call the net.
We take for granted the simple creation and sending of an e-mail to a friend or colleague. We don’t give a second thought to being connected to our corporate network whilst working from home as we create and share a business-related spreadsheet.
It may be that we are creating content and posting it to our personal website or blog, straight into the eyes of the public. It may be we are using an online service to book a holiday or to buy goods. No matter the type of production, or the methodology under which the internet is being leveraged, it can prove to be of some use.
But is it that important? Who actually cares? And who needs it? Well, to be honest, we do, and we have become very reliant on this invisible labyrinth of connected wires, servers, and services. And, for the majority, a life without the Internet would be like returning to the dark ages.
Only online
Not convinced? Well, one should also remember that, in this internet-driven world, a growing number of businesses only trade via online services, so to be disconnected from the global highway would place some restrictions on our ability to procure goods and services. One should also consider the fact that a growing number of businesses recognise the advantage of internet trading, thus additional discounts may be achieved, placing a trading advantage in the hands of the buyer. And then, of course, there is the prospect of staying in on a cold, wet winter day whilst your local supermarket processes your order in readiness for a doorstep delivery.
So I guess we need to yet again enquire: who needs the Internet anyway? We do! But of course, wherever such benefits and opportunities exist there will also be those who see this interconnected world as a means of exposure, exploitation, crime, or as a medium through which other diverse and miscreant activities may be conducted. In other words, this globalised, interconnected environment is a double-edged sword representing both good and bad, which could manifest in a cyber attack, compromise, or exploitation.
This circumstance of potential risk promotes another question – should such potentials of attack, compromise, or inadvertent disclosure be something we should be concerned about? Well, if we care about personal and business privacy and security, then the answer should (must) be in the affirmative with a resounding ‘yes’. So, given that we may be ageing, there are potential risks when we interface with the internet; let us delve under the hood and investigate where such threats may be lurking.
There has been much recent debate about the levels of cyber risk faced by users, business, and governments alike, ranging from the casual criminality of the opportunist, through to the very real cyber dangers manifesting out of state sponsored cyber attacks, through to electronic spying on both governments and commercials.
Threats may be classified into distinct categories, such as the four I suggest here:
• Those seeking targets for purpose of grooming or abuse, for instance, paedophiles
• Persons, or groups who utilise cyber space to drive political, antisocial activities, such as hacktivists
• Organised, or home grown cyber criminals seeking to profit from exploitation of selected targets
• Cyber belligerents, acting as mercenaries, or state-sponsored groups. We should also remember that what all classifications of cyber threat have in common is that their miscreant crafts have been in play for many years prior to computers – it is just a matter of moving into a wider arena of modern technologies, which allows options for safer, remote white collar types of crime.
A second profile associated with these groups, is the sophistication of crimeware, tools and logical opportunities that are available for leverage. However, there is no doubt that having the right tools to do the job will increase attackers’ success rates.
To accomplish this, engineered applications may be sourced as COTS (criminal-off-the-shelf) ready-made, or as bespoke, one-off developments. This is nothing new as, way back in the heyday of computer viruses, such utilities were readily available in the form of virus creation kits, with which the average fledgling hacker could create his/her own vector of infection.
What has changed with the advance of time is that such products are now more sophisticated and also commercially driven in the criminal sense. In fact with some operations, the criminal masterminds have even migrated their line-of-sale operations into the cloud, to embrace the advanced options of crime-commerce.
Viruses and phishing
Experience tells us the computing world has excelled in the art of ultimate acceptance of new vectors of risk. This was the case with computer viruses, and Trojans (where some anti-virus providers actually removed Trojans from their applications, as they did not meet the purist definition of a virus). Then there was the continued acceptance of spam, which was only considered a nuisance in its early days. Of course, the one fact that may be relied on is, once such risks are identified, and accepted, the commercial machines of security solution providers will kick in, albeit after the wave has arrived on the beach.
The same level of risk acceptance equally applies to phishing. In its early incarnations this new quirky and imaginative threat was somewhat tolerated. Notwithstanding it demonstrated all the attributes of crimeware – it was going where the money was and targeting the susceptibility of the user endpoint.
But just how exposed and vulnerable are the systems we use each day? It’s a big question. Given the reported cyber attacks and levels at which successful infiltrations occur, one could argue that exposure exists, which should not be considered acceptable. It could also be concluded that criminal entities may just be waiting for the next opportunity to exploit, maybe in the form of virtualisation or cloud – who can say? One thing is for sure, when one uses the internet, security must be a proactive partner.
Best defence
So how do users and organisations defend their perimeters and assets? Whilst no single silver bullet solution exists, one might consider seven interlinked steps:
1. Notwithstanding they no longer represent the all-encompassing protection they once did, nevertheless, ensure that the anti-malware application(s) are maintained up-to-date.
2. Ensure that applications and operating systems are up to date, and fully patched against known, and reported, vulnerabilities.
3. Consider using a personal firewall, such as those that may have been supplied with the Microsoft operating system.
4. Consider subscribing to cyber-intelligence services, which may be used to identify online threats, misrepresentations or online frauds targeting brands – examples are Cyveillance, and Secunia.
5. As phishing attacks predominantly target end-users, for the business, drive to the heart of the problem by investing in a security education and awareness programme to raise the profile of risk – including for your clients.
6. Watch out for those unexpected e-mail communications delivered to your computer, tablet, or smartphone mail client – if it’s unexpected, smells a little fishy, or simply looks too good to be true, don’t open it.
7. Don’t fall into the trap of believing your particular operating system can never be subject to compromise or incursion – attacks and malware are far reaching, so to some extent the intentions of the cyber adversaries are agnostic to the end point.
It’s not rocket science, just simple solutions and practices, aligned with common sense. L E
With 95,000 constituents in 160 countries, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance.
Founded in 1969, the non-profit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems.
It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations. ISACA continually updates COBIT, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Professor John Walker is a member of the Security Advisory Group of ISACA’s London Chapter.
For more information
, please visit www.isaca.org

Please register to comment on this article