Disclaimer: This only represent my experience Views and opinion
Information Security Manager’s oversee information security programs which includes network security in organisations or business enterprises. With documented knowledge about past incidents breaches, that occurs intentionally, accidentally, internally or externally from sources against organisations or business enterprises, Information Security Manager’s starting a new role, dealing with threat issues, is to first and foremost reassess all risk within the organisation or business enterprise. After which he/she can recommend a new framework (ISO27001/2, COBIT, and ITIL) and controls or continue with the current framework with reduce or additional new controls to be implemented.
With support and approval for recommended framework or new controls by upper management (Executive management and Board of Directors), such controls could be, technological controls implemented or employees ban from using mobile phones, mp3 players, PDAs and USB drives (portable devices for moving data around) for work or pleasures within the organisation to avoid exposure to security vulnerability and threats attacks, especially, identity and intellectual theft and espionage.
Next step is to continuously monitor or risk assess identified constraint areas of the network systems, applications software, physical environment and culture behaviour in order to determine strength and weaknesses, by identifying and listing vulnerabilities, threats, likely hood and impact posed against organisation asset such as data, systems, physical environment and employees behaviours. At this stage business Impact analysis is conducted in order to develop business continuity and disaster recovery plan to assist with business continuity. Business case can also be developed in order to convince business unit managers and upper management (Executive management & BOD) to approve budget in order to implement needed controls or approve or support policy, standard, procedures and guidelines to help protect organisations data and systems to meet business objectives and goals.
Identifying some of the most common threats affecting organisations or business enterprise and controls recommended, includes threats such as Social Engineering, Cyber Security and Phishing. Threats can be accidental, intentional theft and corruption of data, industrial espionage, improper configuration of network equipment and software application bugs.
Third step will be to create security policies which will act like a standard rule to employees and possibly third party contractors following procedures and guidelines which will help prevent security breaches against organisations or business enterprises data, network systems, physical environment and employee’s behaviour. Finally, in creating policies, Information Security Manager’s should enlist the help of business unit managers, senior staff and security steering committee and get final approval from the BOD before making the policy a rule in order for the policy to be easily implemented and accepted by all employee.
Most common threats causing breaches in organisations or enterprises
Threat can be define as a particular attack launched from an internal or external source exploiting vulnerability and exposure within organisation or business enterprise breaching information system and physical and environmental security.
List of some common threats that can possibly affect organisations or business enterprises: social engineering (insider theft, loss of mobile device, employees and employees families, visitors and contractors), cyber security (cyber-theft, cyber espionage, malware (watering hole, ransom-ware), insecure passwords, the Internet of things, APTs, combine threats, denial of service attack, hacking attempts (hackers), man in the middle attack, SQL injection, spam and viruses) and phishing (emails).
Common threats and some controls implemented
The most common threats I have determined in organisations and business enterprises are:
Threat: Social Engineering - Employees can be the biggest threat to information security data and systems in organisations or business enterprises due to their behaviours/culture (example: accidental miss happenings disgruntle employees, for money or glory, or to show weakness in organisation security) they can steal or destroy data whilst using personal portable drives when moving data around. They can intentionally or unintentionally (giving out information while being helpful) course problems. Contractors and visitors, the question is how best we can trust them?
Social Engineering Risks: Includes data theft (customers personal details stolen by identity thieves, intellectual theft and industrial espionage), web search of targeted organisation employees phone listing, disclosure of information from helpdesk to pretend staff members looking to steal login details to break into network systems and escalate privileges, phishing, helpful employees not aware of security risk when helping others, corruption and loss of data can take place by employees using personal portable devices, when moving data around, employees can add viruses or install malware from freeware intentionally or by mistake, which can affect network systems, curiosity of finding out what is inside USB key found and labelled Top Secret can also affect network systems, hence costing a lot of money to replace business assets or on litigation being sued by shareholders or customers. Contractors and visitors whilst visiting are they gathering information, are they well informed about procedures by staff members, do they have hidden recording cameras, taking pictures with mobile phones and finally do they have USB stick containing Trojan use to steal information or infect the organisation network with a virus.
Social Engineering Controls: Includes security awareness training, ban all use of personal and portable devices and disable drives not to allow the use of portable drives, virtual local Area network can be configured from switches on a port to port basis to allow employees role base access to classified data information stored on a server by password authentication instead of moving data around. Installation of antivirus software can prevent or provide alert against viruses and malwares. Human resources vetting employees before employing them, appraisal during employment and procedures carried out during termination of employment. Contractors and visitors should be monitored closely with CCTV cameras by security guards when entering or leaving the building to stop the use of hidden recording or photographic camera. Continuous periodic monitoring of workstations to remove device connected such as USB rubber ducky and fake WIFI point used to gather data information. Advise IT department to provide two factor authentication login, segmentation of network systems and make use of time of day or location base access controls. Have agreement on how information is shared or not shared with colleagues, vendors and business partners. Be specific about security practice in SLAs and contracts.
Threat: Cyber Security threats can affect both organisations and business enterprises networks, secured networks are hard to be defined as 100% secured as attackers can finally find ways to penetrate networks no matter how hard defenders try to protect their networks. Attackers committing cyber security threats are cyber criminals (identity thieves), activists, hackers, nation states, malicious insiders and non-malicious insiders (downloading freeware laced with malware). Reason for attacks can be for financial gain, classified data or intellectual property theft and disruptions of services.
Cyber Security Risks: Includes cyber-theft (identity and intellectual property theft), cyber espionage (spies), malwares (watering hole, ransom-ware), brute force attacks, the Internet of things, APTs, Combine threats, Denial of service attacks, hacking attempts (hackers), man in the middle attacks, SQL injections, spam, viruses, social engineering, phishing, insider theft (such as backdoor attacks) employees with advance knowledge of the company’s computer and network system can destroy data, cause denial of service attacks or even steal data information, finally loss of mobile devices can result in losing customer details.
Cyber Security Controls: Includes security awareness training, continuous monitoring of network security perimeter, provide network visibility to detect real time incidents, provide skilled personnel to perform network or packet forensics, provide enough packet storage space to be able to document and review past incident as lesson learned for future risk control, encryption of data, regularly updating patching software on operating systems and application software such as anti-virus, disable USB drives on PC workstations, provide least privilege for employees, utilizing intrusion prevention or detection systems, firewalls should be configured to monitor and filter traffic, configure email content filtering and junk mail features, advise IT department to provide two factor authentication login or VPN for remote access, segmentation of network systems to provide security and make use of time of day or location base access controls and alerts. Have agreement on how information is shared or not shared with colleagues, vendors and business partners. Be specific about security practice in SLAs and contracts. Find methods of sharing intelligence with similar organisations, events may be related. Always have backup and incident response plans.
Threat: Phishing is also part of social engineering attack utilize to target organisations, business enterprises and individuals. People are manipulated at targeted source to take action that may not be in their best interest, or in organisation or business enterprises interest.
Phishing Risks: Includes lack of staff Security awareness training, beware of business and personal email compromise, beware of almost similar website name, combine attack such as email with infected attachment.
Phishing Controls: Includes security awareness training, always verify who sent email before opening or acting on it, configure email content filtering and junk mail features, anti-virus software, intrusion prevention system function, has agreement on how information is shared or not shared with colleagues, vendors and business partners. Be specific about security practice in SLAs and contracts.
In order to reduce these threats to acceptable level in organisations and business enterprises, controls should be put in place such as employees’ security awareness training programs and continuous monitoring of network, physical environmental perimeter and culture as well as recording of incidents to learn from post incidents, for continuous improvement of controls.
By Prince Cline-Cole