Cyber threats & Responsibilities

Organisations should understand that cyber risks are inevitable and hence have to adopt a holistic approach to managing them.

In addition to developing a robust IT infrastructure, care has to be taken to examine who interacts to this infrastructure. Threats may be internal/external or ‘internal-external’.

Internal threats

Internal threats are by people who work for your organisation. The damage caused may be due to carelessness or ignorance. Leaving a laptop open and unattended, losing it, falling prey to a malicious outsider, etc.

Internal threats, however, need not be due to carelessness/naivety alone. Insiders are more likely to have direct access to the systems and knowledge about how the organisation defends itself from the attacks. The means/motive/opportunity equation comes to the fore at this time. Staff, contractors and other personnel who already have access to the system have a better chance of penetrating the defence systems as they are already part way in.

The internal vulnerability is often linked to other functions rather than IT. For example, Human Resources could impact the security of the system for failing to update the staff member’s job role or access rights. New staff, those moving roles and/or departments, and those leaving the organisation are also a risk to the stability and security of the system. Of these types of changes to staffing, the employees who are changing roles or leaving the organisation are a particular risk: changing a role does not mean it is appropriate to maintain the same level of access as before, and those leaving should also have their access removed at an appropriate time.

External threats

The external influencers have to work harder to gain access to the information, including hackers gaining access to your systems, criminals stealing information for gain or other motives, cyber spies, etc.

However, there is a link to the internal vulnerability in the use of social engineering. Often a vulnerability that enables access to information that should be protected can come from the relationships between the inside (staff, contractors etc) and the outside (those wishing to exploit the relationship). The external vulnerability is also assisted by an insider who fails to keep the defences in place – for example, failing to update passwords, software versions and patches, or by monitoring virus activity.

Internal-external threats

Internal-external threats are often perpetrated by people who don’t work for your organisation, but who have some connection with it. They could be the employees of suppliers or partner companies who have a lower level of access to some of your network, but not all of it.

One of the high profile cases of cyber crime due to third-party access is that of the US retailer, Target.

Target suffered a major data breach in 2013 in which the personal details of up to 110 million customers were stolen. One of Target’s suppliers, a heating and air conditioning company, had access to Target’s computer systems. An employee of that supplier had been spammed with a phishing email which resulted in their login details to Target’s network being stolen.

According to reports, the criminals who had stolen the login data were then able to install software on Target’s computer network designed to capture the credit card details of store customers. Target had security systems that should have detected the installation of this software but for some reason it appears that they failed to act when the malicious software was installed. By allowing the heating company to connect to its computer networks, Target made itself more vulnerable to attack.

Your task

Consider your organisation and what vulnerabilities you may be facing internally and externally.

This isn’t necessarily a task where you can or should comment here, as the vulnerabilities you may identify amount to a possible security breach. If you think you have identified an area of weakness in your organisation’s digital infrastructure, please notify the individual(s) within your organisation responsible for this activity.

References

_{Hartmann, K., and Steup, C. (2013) ‘The Vulnerability of UAVs to Cyber Attacks – An Approach to the Risk Assessment’. 5th International Conference on Cyber Conflict [online] Tallinn: NATO CCD COE. available from http://ccdcoe.eu/uploads/2018/10/26_d3r2s2_hartmann.pdf [27 August 2019]}

_{Maglaras, L., Ferrag, M., Derhab, A., Mukherjee, M., Janicke, H. and Rallis, S. (2018) ‘Threats, Countermeasures and Attribution of Cyber Attacks on Critical Infrastructures’. ICST Transactions on Security and Safety [online] 5 (16), 1-8. available from https://arxiv.org/pdf/1901.03899.pdf [27 August 2019]}