New Trends in Corporate Cyber Security
The Rise of Cloud ComputingCloud computing has developed rapidly over the last few years. As more and more services store data in the “cloud,” corporate IT departments can find themselves losing a degree of oversight and control. To ensure that information is secure, it’s important for IT to have full visibility. One potential threat is that employees may attempt to bypass IT to access information or services that they feel they need. In the process, they may be bypassing security systems and protocols, potentially creating vulnerabilities. To retain control when using cloud systems, it’s important to scrutinize cloud vendors closely. Company IT departments should be cognizant of where data is being stored, and whether the cloud service vendor meets appropriate security standards. From a risk management perspective, it’s wise to keep an eye on any third-party vendors who are responsible for the security of your data. Another solution would be to utilize a highly rated information technology staffing agency which thoroughly vets all of their employees. The Office of the Comptroller of the Currency has cautioned against several things that can increase the risk of a data breach. Although their recommendations are aimed toward banking institutions, they are not exclusive to banks:
- Failure to assess and document the inherent risks in outsourcing services
- Failure to perform ongoing monitoring of third party services
- Entering into contracts with third party vendors without assessing the vendors’ security and risk controls
- Entering into contracts that may incentivize third parties to take risks with data security to maximize profit
- Engaging with third party vendors with inadequate formal contracts
RansomwareRansomware is a type of malware that encrypts a user’s files. The attacker then requests payment in return for the encryption key. According to the Cyber Threat Alliance, a recent variant of ransomware known as “CryptoWall 3.0” has cost global users a total of over $325 million. The virus renders data inaccessible without paying the ransom, and attackers often use social engineering to gain an initial foothold. The problem with ransomware is that in many cases, it works. The easiest way for a company to regain access to their data is often to simply pay the money and be done with it. Companies can mitigate the threat from ransomware with robust backup routines, and better cyber security education for personnel can help deter the social engineering component of these attacks.
Spear Phishing“Spear phishing” is a malicious tactic that targets specific individuals or companies. The attacker deceives the user into handing over passwords, user information, and other sensitive information. Its effectiveness is primarily a matter of social engineering. While more technically inclined users are often aware of spear phishing, phishing websites are becoming increasingly sophisticated and convincing. It’s not uncommon for an employee to fall victim to a phishing scam that looks like the official login for a website or service. Recently, spear phishing attacks are increasingly targeted toward high-level personnel, including C-suite executives. It’s important for IT departments to educate such personnel about the dangers of possibility of spear phishing.
Dealing with Publicly Known VulnerabilitiesIn many cases, hackers will exploit vulnerabilities that are already publicly known, but have not yet been resolved. While newer exploits are more likely to be publicized, the majority of attacks exploit bugs that have been known for years. This means that security analysts need to devote time and resources to fixing known exploits. The rise of new technologies compounds this issue, and many hackers target point-of-sale and internet of things technologies. Last year, HP released a 2015 Cyber Risk Report. The following tactics are recommended:
- Comprehensive patching to keep systems up to date
- Regular penetration testing
- Understanding new potential for attacks associated with new technologies, e.g. IoT
- Keeping up with new developments in the cyber security industry