What’s the Problem?

There are so many new buzz words and acronyms in information technology every year, that it’s hard to keep up. And sometimes it’s even harder to see the wood from the trees with all the new Cyber Security products and solutions being pushed by the big tech companies. As a result, it's difficult to get clarity around Cyber Security.

The question you must ask yourself is, do you need to buy every single security solution, appliance, or service to ensure that you are 100% secure.

First, let’s be clear about one thing, there is no such thing as 100% secure. The marketing departments of many crypto projects proudly display a “100% secure claim” on their websites, but they are often the first to be hacked. So be careful what you wish for.

Yes, you can get a clean audit with zero findings, but auditors have told me that it can take some years to get to that point especially if your security controls are not mature.

Anyway, a clean security audit is no guarantee either.

Increasing your security budget certainly helps. JPMorgan were planning to spend $250 million and employ 1,000 personnel in Cyber Security in 2014 but they still got hacked. So in October that year they apparently decided to double that figure.

This is called the “brick wall” approach.  If you throw enough crap at a brick wall, some of it is bound to stick.

So, what’s the problem?

The biggest problem we face today is getting clarity around Cyber Security, from executive board level right down to users.

In this article I’m going to help you get clarity about Cyber Security and shed some light on how deep and wide the Cyber Security domain is.

So, let’s dive in.

A Simplified Model for Clarity Around Cyber Security

According to Cisco Systems “Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes”.

That’s a good definition with all the right keywords in it, so I will use it as a basis for this discussion.  However, because prevention is always better than cure, Cisco’s definition has a weakness, protection alone is not enough.

This following model breaks down Cyber Security into four interlinked sub-domains: assets, risks, causes and prevention.

Whether you are the CISO of a large multinational corporation, or a home user, you should be concerned about all four sub-domains.

Get Clarity Around Your Digital Assets

If you consider the Internet, mobile & fixed telephone networks, and all the information technology used in businesses and homes, digital assets boil down to three categories, hardware, software, and data.

You can further categorise hardware down into compute, network, and storage.

If you are the CTO of a major corporate then your assets will be on-premise, co-located or hosted with managed service providers, in public cloud, or with mobile users and those working from home.

But if you are a small business or home user then your assets scope is probably limited to your computers, home Wi-fi, a NAS, smartphones, and IoT smart home devices.

What are the Main Risks to Your Digital Assets?

Whether your data is personal data, medical data, credit card data or the private keys to your crypto wallet, it has some value to you or others.

So, what are the risks to your data if your Cyber Security is not up to scratch?

Your data can be:

• Stolen through unauthorised access
• Modified or damaged in some way
• Destroyed beyond recovery

Access rights can be abused by insiders to steal data, and to try to address this problem, Microsoft now offer add-ons to their Office365 services to monitor and manage this risk.

Hackers can also easily gain access to unpatched systems that are accessible from the Internet.  Zero-day or recently disclosed software vulnerabilities are often the root cause, and the recent Log4j vulnerability is a great example of this.

Data can be damaged or modified inadvertently, or maliciously during ransomware attacks.

Total loss of data can also occur when data is deleted or lost, and no current backup is available.

Organisations must use threat modelling, regular risk assessments and security gap analysis to take the appropriate actions to deal with these risks.

Causes & Motivations behind Cyber Security Incidents.

There are many motivations and causes of Cyber Security incidents and data theft. They fall into three main categories, (i) financial, political, or material gain, (ii) human action or inaction and (iii) natural causes.

These causes and motivations can be further expanded to include:

• War & Terrorism
• Government Spying
• Activism & Hacking
• Organised Crime Scams & Rackets
• Social Media & Advertisers Data Mining
• Natural Disasters
• Human Error
• Negligence
• Ignorance
• Malice

Your credit card details or crypto wallet credentials can be stolen and used for financial gain. You personal files can be used for extortion or ransomware. Your compromised password can be used to carry out attacks on your company’s infrastructure.

Many ransomware attacks modify your data using encryption in such a way that it cannot be decrypted without paying the ransom. It is also well known that organised crime gangs routinely use phishing scams for financial gain.

Lone hackers may hack systems for some personal gain, even for something as simple as modifying University exam results.

Governments or activists may use weaknesses in a foreign government’s infrastructure to inflict financial or material damage.

In 2007, a distributed denial of service (DDoS) attack was directed at Estonia’s government, banking and civilian infrastructure and services, many government websites were defaced and all of the country's public services were affected for three weeks.  The attacks were never proven to be government sponsored.

And let’s not forget the Stuxnet incident, where many centrifuges were destroyed in Iran’s nuclear infrastructure, by an attack using malware delivered on a USB storage device.

According to Edward Snowden's book governments have been known to use technology to gather data illegally.

Despite privacy law like GDPR, social media giants and advertisers routinely collect and sell your personal data using browser cookies, analytics code, pixels embedded in websites, and tracking features embedded in mobile apps.

Even though you clicked to accept their terms & conditions, or accepted a cookie warning, your private data is still effectively being systematically harvested.

Even more important is that businesses need to be aware of just how much sensitive data is being leaked out of their businesses, via search, translate and other services, not to mention the use of unmanaged business smartphones in many organisations.

But data can also be corrupted or damaged by failed or faulty hardware or software, or lost encryption keys. External USB drives based on solid-state memory and encrypted or RAID arrays on NAS devices are great examples of where you can corrupt or lose vast amounts of data because of such issues.

Many cases of data loss are because of carelessness, insufficient Cyber Security awareness, or pure ignorance of the risks.

Natural disasters can also play a role in data loss, and therefore modern cloud services usually employ an availability zone over three different datacentres.

Protection is not the Same as Prevention

Probably the biggest area in Cyber Security is prevention. This is where an effective information security management system (ISMS), appropriate security controls & audits, and a suitable security architecture are critical. Your security architecture must use solid and modern security elements like those I mention in my other article about Cyber Security Solutions.

Standards and frameworks from organisations like the CSA, NIST, PCI and ISO are security standards that can be leveraged by organisations to implement and monitor the appropriate security controls to ensure that data is not just protected but that data loss is prevented.

Users need more and better security awareness training, and security teams need to be bigger, more experienced, better funded, and better trained.

Prevention of data modification or corruption requires that you have immutable backups.  Whether you are a home user or a major corporate, you can use solutions like Amazon Web Services S3 in combination with Glacier for immutable backup and archiving. Solutions like Acronis Cyber Protect Cloud are also good options.

Organisations also need to ensure that solution architects use best practises in "security by design", leverage vendor reference architectures and integrate the latest innovations in security technology from industry leaders.

Development teams also need better and more frequent secure development training, and need to integrate DevSecOps methods into their development pipelines to ensure that security issues are seen earlier in the software development lifecycle.

Concluding Remarks

The Cyber Security domain is very deep and extremely wide, and it is somewhat misunderstood and underestimated by businesses and by ordinary users.

Yes, we’ve heard it all before:

• Don’t worry we have the next generation firewall
• We’re just fine, we’ve got the best anti-virus
• It’s OK, we have MFA on “almost” all our servers
• We run simulated phishing campaigns
• No worries, we have SolarWinds
• Our CISO used to work for XZY Inc
• We had no major findings in the audit

Getting clarity around Cyber Security is only a first step, but a major one. The next thing to do is create a security roadmap and start acting on the key tasks that will make the biggest improvements to your Cyber Security.

Until there is complete clarity around Cyber Security in organisations, CISO’s and security teams will continue to fight a losing battle against Cyber attacks and data loss.

Finally, if you find this post interesting and you'd like to be notified about new articles, please subscribe to my newsletter here or using the form below.