Thursday 22 May 2014

Interview: Could staff training help to guard against cyber attacks?

Interview: Could staff training help to guard against cyber attacks?

The latest headlines are awash with news of security breaches at major companies, including the likes of Morrisons, Target and Kickstarter.


We speak to Catalin Cosoi, Chief Security Strategist at Bitdefender, regarding how or whether businesses can better educate their staff to be security aware, and how businesses can simplify their security strategy.


TechRadar Pro: Could the enterprise do better when it comes to the education of staff as far as IT security is concerned?


Catalin Cosoi: The average enterprise does not train general staff in IT security matters and this is more or less as it should be. Training should be restricted to familiarisation with job-relevant security procedures, of which the fewer there are, the fewer there are to get wrong. IT staff on the other hand really should be more security-aware.


TR: How should training differ at different levels of the business? Should all employees receive the same level of education?


CC: Generally speaking, an attacker will aim for the 'low-hanging fruit' first and will look to spear-phish the director's secretary, not the director himself – at least not initially. One of the jobs of IT security is to ensure that the gains are similarly low and that "privilege escalation" attacks are hard.


That being said, a small dose of operational paranoia instilled into key personnel can work wonders. To give an example of why education at all levels is so important, the HBGary "hack" was only possible because an administrator was a bit too trusting and accepting.


TR: What would Bitdefender consider to be best practice when it comes to IT security education for businesses and their staff?


CC: Identify who needs to be educated and then think long and hard about what you want to teach. For example, training people to change their passwords often is pretty useless, while showing them how spear phishing works might be useful.


Keep in mind that normally there is a tension between security and convenience and a harried middle manager will always choose convenience, unless training has convinced him or her that it is necessary to make such decisions in a conscious manner and that taking on security risks is not "free".


TR: Should network security now be reliant on more than just passwords following the recent news that researchers in Liverpool have created a computer virus that can spread via Wifi?


CC: The Chameleon virus' potential to spread through networks "like a common cold" highlights the importance of having robust administrative security procedures in place; an area that is overlooked by many.


Organisations should take steps to ensure that critical infrastructure and routers are protected from this, and similar, virus threats and technology should be the element that makes the difference.


Home routers and networks are actually beyond most people's IT administration skills, and as such the need to secure them doesn't even register. This is why passwords are often not secure enough.

In order to achieve true protection, security and maintenance should be simplified and automated as much as humanly possible.


Things should just work securely out of the box, because most people don't have the time, inclination or indeed motivation to become network security professionals.


TR: What are considered industry gold standards in today's cloud security industry?


CC: Despite industry efforts, cloud providers have yet to establish a standard framework to guide the interactions between enterprises and cloud service providers.


There are a number of organisations that ratify proposals for open standards and develop cloud security guidelines. Cloud Security Alliance (CSA) provides one of the industry's most comprehensible set of best practices for secure cloud computing.


The CSA has developed a compliance standard known as the CCM or Cloud Control Matrix, which describes various areas of cloud infrastructure including risk management and security threats.


As cloud usage continues to evolve so should security standards; however it is extremely difficult to enforce a set of policies because of the very nature of the cloud – it is distributed within different geographic areas, with different regulations and even provided by different vendors based in multiple countries.


TR: Are there any security concerns that are exclusive to the banking industry?


CC: Obviously the banking industry has to deal with a host of regulations and laws that do not affect other industries – from PCI DSS or Basel III to various state-specific laws such as Sarbanes-Oxley. Not so obviously, to quote Willie Sutton, people rob banks because that's where the money is. An attack against a bank will make use of more money and technical expertise than a raid against a (comparatively) small credit card processor such as a chain store, for example.


Public clouds lure companies with the hope of standardisation and thus decreased costs, but this is also their biggest security downside. A breach in a cloud provider's security is a breach in all of its clients' operations.


TR: In what ways can hackers and cyber criminals make use of IT systems and social means to manipulate financial markets?


CC: There are quite a number of attacks that can manipulate financial markets. The most frequently encountered type of attack is pump-and-dump spam: a type of campaign that attempts to artificially inflate the price of cheap stock by presenting stock purchases as the best thing that the user could do.


Often, pump-and-dump spam messages claim that company X has just put together a product that is so revolutionary that it is going to increase the company's value thousands of times.


But pump-and-dump spam is not the only way to manipulate financial markets: a famous example being when cyber-criminals last year broke into the Twitter account of Associated Press, publishing fake news about the President of the United States being injured. Because of its wide reach, the news caused the temporary collapse of the stock market.


TR: What advice would Bitdefender give to businesses looking to simplify their security strategy?


CC: Online threats to small and medium businesses have never been so prevalent, or so complex. To counter the rising dangers of hacking, espionage, sabotage, phishing, viruses and data theft, we'd recommend businesses identify who needs to be educated, and then give them the correct tools to prevent real attacks by demonstrating what a cyber attack may actually look like, rather than just telling them to change their passwords often.


It is also advisable to consider a cloud security solution for businesses. Bitdefender Small Office Security cuts through the clutter by offering a simple, effective solution that can be deployed with complete efficiency by almost anybody working within an office environment. This solution also reduces server costs and frees up staff time, helping businesses to run more efficiently.
















http://ift.tt/1vKnlpi

No comments:

Post a Comment