In the penultimate piece of our ‘Cyber Serious’ series on cybersecurity we explore the complex threat environment. Be sure to follow our ‘Cyber Serious’ series over the next few weeks and take a look at the pieces already published.
Follow us on LinkedIn to ensure you don’t miss a beat.
“There are known knowns – these are things we know that we know. There are known unknowns, that is to say, there are things that we know we don’t know. But there are also unknown unknowns – there are things we don’t know we don’t know.”
Donald Rumsfeld, United States Secretary of Defence, 2002.
When organisations consider the online environment they operate in, its important to remember that in most cases the true and complete picture is outside the reach of the organisation, especially when it comes to cybersecurity threats.
In cybersecurity, the complex threat environment is a concept that covers all possible threats, both known and unknown to an organisation. Cyberattacks can come from a far wider range of sources, angles and locations than is generally known to the organisation in question.
At the same time, organisations are simultaneously coping with a range of internal security performance issues, such as rolling out or maintaining a new process, ensuring they have the right people working on them, and ensuring they have the correct technology in place.
This intersection of unidentified external threats and internal complexities can leave holes in security protection, some of which are known, and some of which are unknown, and this is a cybercriminal’s dream.
What can these holes be?
There are many. No matter how good your systems are, human error is uncontrollable for one. In cybersecurity human error is called social engineering – the psychological manipulation of people into performing actions or divulging confidential information that would damage an organisation. It’s like a type of confidence trick or scam for the purpose of fraud or system access and is often one of many steps in a more complex fraud or breach attempt.
The four main types of social engineered cyberattack are:
- Vishing; otherwise known as ‘voice phishing’ this uses social engineering over the telephone system to gain access to private personal or financial information from a member of staff, to then use as part of a breach of the organisation’s security. It is also employed by cyberattackers to gather more information on the type or specification of system that an organisation has before attacking it at a later date.
- Phishing; as most people know this social engineering attack uses an email that appears to come from a legitimate source requesting ‘verification’ of information (or a similar) as a way of provoking the victim to click on a link and allow access of a malware program. A more brazen attack involves directing victims to another website to input sensitive information themselves, such as a password or credit card details.
- Smishing; this uses SMS messages in an attempt to engineer the victim to take a specific course of action
- And lastly, impersonation; a physical impersonation of another person by the criminal with the goal of gaining physical access to a system or building to collect information for a forthcoming cyberattack.
There is an endless number of threats in a complex threat environment, and each one with its own nuances which are often specific to sectors. Botnets, MitMs, denial-of-service, SQL injections, this list goes on.
Let’s not fly blind
To every organisation, the complex threat environment that it operates in is unique. To understand it, organisations must first map it, providing visibility where before there might be none, and turning the ‘unknown’ weaknesses into ‘known’ weakness before fixing them.
Vulnerability scans, testing systems, testing staff actions and constant evaluation of the existing system should be the cornerstone of any cybersecurity strategy. The complex threat environment is by its nature constantly evolving and becoming increasingly multifaceted.
One trend that is causing visibility challenges in the complex threat environment is the diversity of devices coming onto an organisation’s network as we move closer to the Internet of Things (IoT). This means security companies can no longer take the traditional approach of installing a small piece of security software on every device.
A second trend is the movement of data from controlled environments such as servers to the cloud. Years ago, IT would keep the data secure by physically limiting who had access to it, but the explosive growth of virtual servers as well as the movement of physical assets from the datacentre up to the cloud have changed everything.
No matter what the environmental change, visibility must be the foundation of any good cybersecurity strategy in the complex environment we all now operate in. Before you consider security solutions, know your unknowns.
For more information on the challenges brought on by IoT, make sure you read the final piece in our ‘Cyber Serious’ series, coming soon.
Are you considering reviewing your cybersecurity policy? Click here to find out more details on how KJR can help.