Cyber security – a call for constant vigilance

March 8th, 2016, Published in Articles: EngineerIT

The notion that with with security software and safety measures taken care of, companies and home users can relax, remains a dream. In today’s world, almost everything connected to the internet and technology poses a constant security threat. The cat-and-mouse game that has typified cybersecurity in recent years continues, with hackers constantly finding new ways in which to attack networks. Awareness is critical when it comes to mitigating risk and companies should implement multi-layered security with the best and latest threat prevention capabilities, in order to achieve the best protection.

Doros Hadjizenonos, country manager, Check Point South Africa says that another factor that has become a major security concern is mobility. In the last decade, mobile devices have not only represented one of the largest accelerators of business, but also the largest threat to their security.

“This has become evident with several high-profile mobile vulnerabilities emerging over the past year, including Certifigate on hundreds of millions of Android devices and XcodeGhost, the first major malware infection targeting non-jailbroken iOS devices. Most organisations are unprepared to deal with the threats that these devices present to their networks because of a lack of tools that provide the right visibility and actionable intelligence.

Doros says that business need to be aware of threats and trends, amongst them “Sniper” and “shotgun” malware. “We believe that larger breaches in 2016 will be the result of custom-designed malware developed to get past the defences of specific organisations, such as the attack on US retailer Target. While generic, broad-brush attacks will continue to threaten individual users and small enterprises, hackers will raise their game when attacking larger organisations with more sophisticated security postures. They will use deeper, more sophisticated phishing and other social engineering tricks to gain access to the data that they want.

“With so much noise in the market, it can be a daunting challenge for organisations to separate security fact from fiction. That’s why security portfolios should consistently be submitted to rigorous, independent, third-party testing that enables customers to understand how solutions perform in the real-world,” said John Ward, systems engineer at Fortinet. “Cyberthreats change, and as they do, security technology and multi-layered threat intelligence solutions need to keep up. There are threat protection (ATP) frameworks that deliver a broad and automated approach to security and combine threat prevention, detection and mitigation to thwart advanced attacks that are crafted to bypass traditional security defences.”

Fred Mitchell, security software division manager, Drive Control Corporation points out that trends such as mobility and bring your own device (BYOD) have added complexity, posing a number of security risks for organisations including the need to secure access from a wide variety of mobile devices.

“In addition, the growing popularity of software as a service (SaaS) for critical business applications as well as public cloud-based applications for data storage and sharing present an increased security risk.

“Previously utilised security methods, including passwords and traditional two-factor authentication (2FA) solutions are simply no longer sufficient to meet the evolving security threats faced by business today. In addition, advanced security methods have become increasingly cumbersome, reducing the likelihood that users will actually stick to security protocol and requirements.”

He make a valid point. During the past few years the problem of non-compliances has been highlighted in almost every report and survey on cyber security. Banks warn their customers not to click on links in emails offering big rewards, yet people still do it! The problem is that this does not only affect the owner of the device but if the person is part of a BYOD to work setup, the entire company network could be compromised.

Smart authentication that delivers strong security as well as greater ease of use has become essential, and contextual 2FA offered as a managed service has emerged as a good solution to this challenge.

Mitchell continued : “Mobility also increases the complexity around ensuring only authorised users gain access to sensitive corporate data. The challenges around security are the same as they always have been, specifically protecting against breaches when data and applications are accessed and complying with various regulations around data protection. The consequences of inadequate security include data theft, penalties for noncompliance with regulations, loss of intellectual property, and damage to brand reputation, amongst others. Given these changing requirements and the evolving threat landscape, smarter user authentication is essential.

“While passwords have been the go-to solution for user authentication, the reality is that they are simply not effective anymore. High profile breaches have proven just how easy they are to steal or work around. In addition, as the need for more complex passwords has arisen, the human element has become more of a challenge. People simply cannot remember their various passwords, and thus resort to unsafe techniques such as disabling them or writing them down, both of which are not secure practices.”

It is even worse when the network requires a user to change his password monthly. The common practice has now become to choose one basic password ending with a numeral denoting the month. It will not take rocket scientist to work out someone’s password. And to make it worse, people write their passwords in their diaries. Security experts also advise users to have a different password for every type of service they subscribe to. Who can remember half a dozen or more passwords without noting them down and still having to change them monthly?

Mitchell put forward that the ideal solution to this challenge is 2FA which is offered as a managed service and combines a variety of contextual authentication options to meet a variety of different needs. SaaS or managed solutions offer the benefits of reduced capital outlay and maintenance costs as well as scalability and predictable costs. These solutions are agile and can combine the right authentication tools for any particular scenario, from the more traditional dynamic security codes, to more advanced solutions such as biometrics. In addition, they can be offered as contextual, tokenless authentication solutions that can adapt to the changing needs of the mobile workforce.

“By harnessing the power of managed services, these 2FA solutions enable organisations to leverage the proven benefits of token-based authentication without the hassle of the physical security token. Dynamic security code authentication can also be combined with other security methods including device fingerprinting, hardware-based identifiers, and user-behaviour risk analysis, to enhance security. This makes authentication simple for the user, as all of the verification takes place behind the scenes, and they are simply required to provide a user name and their security code to gain access. Contextual 2FA combines tokenless dynamic security codes with complex device analysis or a combination of device and behavioural analysis depending on the scenario, delivering proven logon security.”

Martin Walshaw, senior engineer at F5 Networks asks the question “are we overlooking critical aspects for the fourth industrial revolution? The World Economic Forum (WEF) expects the internet of things (IoT) to eliminate more than 50-million jobs in the next five years as technology automates more day-to-day tasks. They’re calling it the Fourth Industrial Revolution, which is characterised by a fusion of technology that blurs the line between the physical and digital spheres. While automation makes life easier in many it also presents a number of risks.

“Privacy is becoming a luxury for consumers. We use more and more gadgets to monitor our fitness levels, automate our homes, and replace everything from cash to ID cards. More data is being collected about us than ever before. Servers in the cloud know who we are, who we communicate with and are familiar with our habits. But we don’t know who is accessing this information or what they’re doing with it”, said Washaw.

“When it comes to business, every industry will be affected. The IoT will give rise to entirely new systems of production, management and customer service. Competition will increase; new revenue streams will open up as others slam shut. To survive, businesses will offer more services through convenient web applications, which, if not secured properly, could provide an access point into the infrastructure for cybercriminals.

“These unsecured networks and this unprotected data can be used for nefarious purposes. Take the computerised pharmacist as an example. The pharmacy recently activated an application on its website that allows patients to order their medication online. However, the application was not properly secured, allowing a hacker to gain access to the network and compromise all prescriptions. Rather than dispensing paracetamol, the pharmacist gives you penicillin, which you’re allergic to.

“By automating more processes, we’re placing our trust in devices and software to do the right thing. This makes security a critical element of the IoT. In recent analysis by McKinsey, it was found that current technology could automate up to 95% of the work of doctors, nurses, paramedics, anaesthetists, aerospace engineers and hundreds of others. Imagine the catastrophic outcomes if any of these systems were to be hacked.”

We’re all responsible for security. South Africans are generally security conscious. We install burglar bars and alarm systems to protect our houses; we lock our parked cars. Yet, when it comes to our smartphones – arguably the most critical gadgets we own considering the amount of personal information stored on them – security is an afterthought. We don’t think twice about granting applications access to personal information, even if it doesn’t make sense for them to do so – why does a photo-editing app need access to our microphone, for example? Often our devices do not have security software installed and we don’t protect the devices with passwords.

This is one reason why businesses should ensure that any device added to the network has security inherently built in.

Walshaw continued: “As we move further into the fourth industrial revolution, businesses need to protect web applications as the first point of entry into the infrastructure. To do this, they need complete visibility into the network – they need to ensure that whoever is trying to come into the network is allowed to come in, that they are who they say they are, and that they’re doing what they’re supposed to be doing. Currently, many businesses don’t know what normal looks like when it comes to security because they have not established security baselines. A good place to start is with the “OWST top ten web vulnerabilities”. At the very least, businesses should be protecting themselves against these, but this is not happening as some of these vulnerabilities have been on the list for years.

“Achieving IoT security does not require network overhaul. It’s likely that businesses already have infrastructure in place to support IoT security; they just need to consolidate their resources and possibly add another tool, such as SSL. An application security expert can assess your network and help you achieve a security baseline.

“The Fourth Industrial Revolution will drastically change how we live and work. This change will happen suddenly and possibly without warning. Don’t be caught off-guard. Start treating your devices, networks and digital identity as you would your physical security – we might not be able to tell the difference soon.”

I spoke to four experts in the cyber security world, each coming from a different perspective but all delivering the same massage: Our cyber world is hostile! Should you not reconsider how well you and your company are protected?

Related Articles

  • South African Government COVID-19 Corona Virus Resource Portal
  • Now Media acquires EngineerIT and Energize from EE Publishers
  • Printed electronics: The defining trends in 2019
  • Charlie and the (fully-automated) Chocolate Factory
  • SANSA app calculates best HF communication channel