Monitoring and research, along with cyber security safeguards and strong policy and procedure, are the cornerstones of an effective management approach to protecting a business from malicious penetration of its information technology (IT) platforms.
By the end of this topic, you will understand:
- cyber security monitoring fundamentals
- sources of information on cyber security developments
- measures to ensure that cyber security is continually improved
- measures to manage external third parties who can impact the integrity of a business’s IT platforms.
The approach to monitoring varies with the selection of software. Monitoring to create reporting in real time of hacking attempts is an essential instrument of cyber security management. This ensures:
- penetration attempts are intercepted early
- penetration attempts trigger evaluation of potential gaps
- reporting drives continual network improvement to protect from the detected type of attack.
Two types of software environments need to be managed for cyber security: system and network devices and software resident on user digital devices. Cyber security monitoring for breach attempts on both types of software platform exist. However, as they are a higher value target for penetration, system servers and network software should have their own threat detection and reporting built in.
User digital devices will require the installation of a third-party application to provide cyber security monitoring and reporting.
Software for System/Network Digital Devices
There are several common web servers used in business, such as Microsoft’s IIS (Internet Information Services) or Apache. Two businesses in the same field may use different application and database instances. For example, a sales company may use Salesforce application software with an Oracle database. Another company may use SAP (Systems Applications and Products) with Microsoft SQL (Structured Query Language). As a result, the types of monitoring and reporting vary with the type of software. For example, an Oracle cyber security exploit does not need to be managed if Oracle is not used by a business.
Network devices, such as ones developed by IBM and CISCO, also have their own native threat-level reporting capabilities built in.
Some organisations purchase threat-reporting software that centralises reporting for all the various critical assets in their business’s network. This software works with native threat management software to create a single point of reporting. Centralised reporting allows for easier management for businesses with larger digital device registries, which enables sharper focus on where remedial action is needed. Centralised reporting also facilitates communication with remote devices (such as mobile phones) to gather data.
Software for User Digital Devices
While there are several common and robust antimalware software options on the market, a business should look to unify reporting from the range of its user devices (such as laptops/phones) to a single surface to simplify and automate threat reporting.
As the range of systems in a business may be diverse (e.g. iOS iPhone Operating System), Android, Win 10, Win 11, Mac), research should be undertaken to evaluate various offerings to delivery high-level protection, detection and reporting that allows real-time management and centralised reports.
Predictive Monitoring
Predictive monitoring provides a way to estimate evolving threats and act to secure a business as needed before a cyber security threat impacts the business. Predictive monitoring reports on national and global trends, allowing for the prediction of evolving types of attack. A business can review trends and anticipate what attacks may pose a threat to its network.
There are free monitoring tools online that track evolving penetration attempts globally. Review of these sites can provide insight into local issues manifesting.
Watch
Reading
The following are examples of websites providing free monitoring tools:
- Real-time global penetration statistics: MAP | Kaspersky Cyberthreat real-time map
- Data analysis of distributed denial-of-service (DDoS) attacks: Connected Cloud Computing Services | Akamai
Watch
Watch the video below to learn more about threat-monitoring tools. It is useful as a guide to begin researching enterprise-level threat reporting:
Practice
Conduct a gap analysis to evaluate effectiveness of free monitoring tools that track evolving penetration attempts globally:
- Real-time global penetration statistics: MAP | Kaspersky Cyberthreat real-time map
Australian Cyber Security Centre (ACSC)
Becoming a member of the Australian Cyber Security Centre (ACSC) is free, and the latest evolving threats are passed on to member businesses. Visit the ACSC website to learn more: Home | Cyber.gov.au
To be informed of new protection developments in ensuring the CIA (confidentiality, integrity and accessibility) of a business is a fundamental task for those charged with business cyber security. Furthermore, monitoring developments in black-hat attacks is likewise very valuable.
Researching can be approached as a cyclical task as well as a spontaneous approach (as and when required). Note that malware and cyber-attacks are not limited to any one nation, and any resource is useful regardless of the location it originates from if the information is accurate and reputable. Cyber security information can be gathered from:
- online reputable hardware or software vendors – sources such as IBM, Microsoft, Apple and Google – as well as providers of anti-malware software
- cyber security bulletins, such as the US Homeland Cyber Security feed
- cyber security groups interested in CIA protection, such as the Information Security Network on LinkedIn.
Reading
- The following are examples of reputable sources that can aid in gathering cyber security information: US Homeland Cyber Security feed: U.S. Department of Homeland Security (govdelivery.com)
- Information Security Network on LinkedIn: Sign Up | LinkedIn
Activity – Cyber Security Knowledge
Visit: Quiz library | Cyber.gov.auto test your knowledge of cyber security.
The leadership team in a small business may well include the person acting to provide cyber security. In larger companies, cyber security will likely report to the chief technical officer (CTO). Regardless, the decisions that are made on IT infrastructure should always encompass input from the cyber security perspective. Any addition, move or change must be considered as to its potential for creating new vectors of attack.
Critically, strong policy that is enforced and monitored, with breaches identified and rectified as soon as possible, is essential. As discussed previously, creating a culture of cyber security compliance and reporting underpins a safer business platform. Continual improvement comes from continually reviewing policy to remove opportunities for penetration of IT platforms. Technology changes and evolves, and business cyber security policy needs to move with it to address new threats.
Aside from relying on poor security management and new technology vectors, hackers prey on human nature. They look for predictable patterns of behaviour to discover passwords and backdoors into online systems (such as naming an access point ‘access point’). Policy should be designed to remove predictability from passwords to reduce this vector’s potential.
Sources of Improvement
Within a business, there are internal and external sources that can provide improvement to cyber security. Improvement is carried out by:
- identifying potential exploits and closing these gaps
- continuously tightening policy as needed
- continuously providing education to staff on cybersecurity
- maintaining patch applications as needed
- rigorously enforcing cyber security policy
- examining reports and trends in unusual network/ system/device activity
- continuously researching cyber security developments.
A further source of improvement comes from engaging with external expertise.
External Expertise (White Hats)
As a part of advising a business, the individual managing cyber security should engage with external companies to perform a ‘white-hat’ operation for an objective review of a business’s security. This, in effect, is a broad and coordinated attack against a business to discover gaps in its cyber security. Without negative impact on the business, technical and physical exploits are attempted to discover whether a business has sufficient protocols in place to defeat an attack.
The report from a white-hat attack will be extensive and detail where a business is vulnerable to hacking attempts. These vulnerabilities are then closed – this may mean software patching or could mean operational changes driven by updates to a business’s cyber security policy.
While such activities have a financial cost, they should be considered as valuable when performed by a reputable organisation. Considerable care should be taken in selecting a white hat given the nature of the activity. The ACSC can aid in securing the services of a company to perform a penetration test.
Note: Patches respond to a variety of requirements, such as bug fixes and productivity improvements, and are not cyber security responses alone.
Reading
Visit: What Is A White Hat Hacker? | InfoTrust to research information on White HatsWatch
Watch the video below to learn about strategic approaches for ensuring continuity of service for networked medical devices. It describes the responsibilities of users when managing digital devices:
Until this point, we have examined cyber security from what a business can control – the connectivity to their networks. But what about the third-party suppliers who may share direct connectivity and trade emails, documents and files?
There is little direct action that a business can take to affect the operations of another business. However, a business can seek to understand how third-party suppliers conduct cyber security and then consider how best to work with them.
For example:
- If gaps are identified in the other business documents sent by email, the documents could be quarantined until validated as safe by malware protection.
- Links and any executable software are blocked when included on media or in emails.
- You can require the other business use a secure data cloud you provide for sending and receiving of information.
- Reaching out to the other business, seeking professional advice and providing direction with sensitivity should also be considered.
Businesses connect with each other through documents and emails. If the sending business has poor cyber security protocols, the potential for malware to be sent to the recipient business is high.
Case Study
Third-Party Risk Management
ACE Pty Ltd receives orders from ACME Pty Ltd. ACE is aware that ACME does not promote rigorous cyber security and has expired free antivirus software on its computers. As a result, ACE ensures that all documents sent from ACME are scanned for viruses/malware before opening.
Despite this, a laptop and phone are found to be infected from receiving documents from ACME because staff did not follow procedure. ACE’s IT specialist wipes the devices and restores a backup to each device. However, two days of data is lost due to the last good backup being three days old.
Watch
Supply Chain Automation
Aside from emails and documents, large businesses may use automated message traffic between themselves and known third parties they do business with. Some airlines, for example, use EDIFACT messaging to automate bookings for passengers on other airlines for additional sectors. EDIFACT is an acronym meaning the United Nations/Electronic Data Interchange for Administration, Commerce and Transport (UN/EDIFACT).
Automated supply chain systems such as EDIFACT are built on trust between companies and a need for high-speed message transacting. A message sent using EDIFACT is not checked for accuracy by staff – it is a computer-to-computer transaction.
Such trust in supply chain automation is open to exploitation by hackers who rely on a business accepting message traffic. For example, a hacker will mock up a message to appear as if it comes from a known third party to create purchase requests to direct money to a bank account they control.
Australian airlines, banks and government agencies typically have robust cyber security. However, businesses working with automated supply chain messaging with external companies overseas need to ensure that validation and identity checking is strong.
Cyber security is a complex subject but is required because of criminal motivation. This unit has covered fundamentals in the securing of digital essentials. While technical and policy focused, it is critical that cyber security programs have the backing of senior management. This ensures sufficient financial and policy support needed to deliver an effective cyber security program.
Cyber security managers should communicate clearly and often to senior management about:
- how the company manages cyber security
- the consequences of not providing adequate resourcing
The cost of recovering from a major cyber security incident will be high not only financially but also in terms of lost business and reputation.
Quiz
