Making cyber security an integral part of a business’s operations relies on a top-down adoption of behaviours built on strong information technology (IT) security protocols.
By the end of this topic, you will understand:
- the range of security threats posed by networked digital devices
- practical user behaviours to be supported by business policy
- technology cyber security protocols for digital devices
- physical cyber security protocols for digital devices
- cyber security best practices
- encryption.
Threats to a business’s operational IT infrastructure have two vectors:
We will break down the common sources of these threats and then examine effective counters.
Technology Based
Since data could be exchanged between computers, a variety of cyber attacks have existed, designed to compromise the CIA (confidentiality, integrity and accessibility) of information systems. An effective early vector was infecting floppy disks with replicating software that would spread from computer to computer, looking to disrupt computer operations. In the 20 years since this technique was common, exploits of breaches in cyber security have kept pace with technology. Here are the common methods of illegal penetration of a business’s digital platforms:
Malware/Viruses/ Trojans/Worms
Malware is any computer code written with malicious intent – such as stealing data; compromising data; and locking computer systems, as is the case in ransomware. A virus is a form of malware that is designed to replicate from computer to computer. It is typically destructive rather than providing a mechanism. The term ‘trojan’ refers to software that masquerades and loads a virus into a computer system. There are many types in the canon of malware, including worm viruses, which can spread through emails, instant messaging and chat rooms. Note, rootkits, which open access to a device for cyber criminals, are a type of malware that runs as a background service providing an access point.
Phishing
Typically received as an email, a phishing attack involves a user being tricked into providing personal details such as banking and login details. This is done by pretending to be a recognised authority, such as a bank, and requesting a user log in to a provided URL (Uniform Resource Locator). The URL will appear to be related to the genuine bank, but in fact is a fictious and fraudulent website. When the user enters their real information, the actors behind the phishing quickly log in to the real bank online to steal. This can be limited by online account users setting low limits for transfers, except momentarily when needed, and using two-factor authentication (2FA) to log in.
Visit: Phishing Attacks and How to Protect Against Them - Office of the Victorian Information Commissioner (ovic.vic.gov.au) to read about phishing attacks.
Man-in-the-Middle Attack
The man-in-the-middle (MITM) attack vector uses public Wi-Fi. When a mobile digital device connects to the Wi-Fi, traffic of the digital device is recorded for later exploitation. Often, the actors behind the fraud are the ones offering the free Wi-Fi.
Distributed Denial-of- Service Attack
As discussed earlier, a distributed denial-of-service (DDoS) attack is a deliberate flooding of a computer network to make legitimate access impossible, as the web server cannot process the volume of requests.
Zero-Day Exploit
It is possible that black hats discover breaches before gaps are identified by software developers. A zero-day exploit is an exploit to access a computer network using a method that no patch has yet been developed for.
SQL Injection
SQL (Structured Query Language) is the code format for making enquiries of databases. An SQL injection posts a query to a database directly – rather than through security layers – to copy or reveal sensitive corporate information. The injection can be performed on the business’s website using common SQL URL substitution. For example, a business sells engines for cars. A hacker wants to know about unreleased new engines. The company’s website is www.carstuffaaa.com.au. The business has an online database that can be searched. To do so, a user enters the word ‘engines’ in a search box. This is passed to the web server as: www.carstuffaaa.com.au/type=’engines’
The database then is sent a request as:
Select * from engines where type =’engine’ and new=0
The hacker can then try entering: www.carstuffaaa.com.au/type=’engines’--
The ‘--’ generates SQL code: Select * from engines where type =’engine’
The ‘- -‘is an SQL comment and forces the dropping of the ‘new=0’.
In effect, all engines that are loaded to the database will be displayed, not just the engines the business intends to show.
DNS Tunnelling
This is a complex exploit that relies on the nature of computer networks. A domain name server (DNS) is registered by the actors and resolves to a genuine URL – such as www.abcd.com. The malicious DNS points to malware. In networking, DNS requests must be allowed to pass from one server to the next, to the next. This is the basis of the internet. DNS facilitates web-based communications. The exploit uses DNS data wrapped around malicious commands to ‘tunnel’ into another network.
The evolution of hacking methods continues. As new technology emerges, techniques are devised by black hats to exploit vulnerabilities in a cycle, where cyber security then closes gaps.
Watch
Physical-Action Based
Theft of digital devices is a common occurrence. Mobile phones and laptops are expensive and attractive to thieves. Furthermore, unrestricted access to servers and network infrastructure can also result in theft as well as malicious damage.
Aside from theft, physical techniques used to threaten a business’s operational IT infrastructure include:
As discussed earlier, hackers can gain access to networks through leaving USB (universal serial bus) sticks with malware around company carparks for an employee to find and use.
The ‘plumbing’ of a business’s internet should be hidden and guarded. Access to cabling allows a hacker to splice a cable to connect directly to a business’s network.
This is when a hacker gains access to a facility by walking in as part of a group of actual employees. Once in the facility, the hacker can access the company’s networks by inserting malware from inside.
This involves watching keystrokes as they are entered. Passwords can be recorded by hackers to use for later access.
Activity - Cyber attacks and prevention
There are protection strategies that can be used to mitigate the technical and physical cyber attacks discussed in the previous section. Whatever strategies are employed, it can be assumed that there will always be script kiddies and black hats attempting to gain access to business systems. Cyber security is an ongoing activity and is always a cycle of review, improvement and change.
The strategies we will now explore cover cyber security thinking business-wide. A cyber security framework is required that combines technology and physical security with cyber security awareness in the workplace, supported by effective policy and training.
For example, effective cyber security frameworks that unify cyber security best practices into a single set of guidelines are the:
- Centre for Internet Security (CIS) cyber security framework
- National Institute of Standards and Technology (NIST) cyber security framework
- The Essential Eight cyber security framework developed by the Australian Cyber Security Centre (ACSC)
Frameworks are processes and guidelines that can be customised to suit a business’s required cyber security needs.
Effective Technology Cyber Security Protocols
Below are the details of the counters that are recommended to be deployed as a part of an overall cyber security strategy for each illegal penetration:
Malware/Viruses/ Trojans/Worms
All digital devices should be loaded with a reputable anti-malware software package that is regularly updated with the latest library of emerging malware.
Importantly, users of these devices need to be trained to:
- understand how the software works
- not interfere or impede the anti-malware software operation
- if automatic reporting is not enabled, contact IT support staff if the anti-malware software reports the interception of malware.
Phishing
Anti-malware software will intercept code using email or websites as a malicious vector. While the software will be effective, users should be trained to:
- understand why and how a virus/worm/etc. can be loaded over email to a receiving digital device
- not open suspicious emails from untrusted sources
- not visit non-business-related websites with business equipment – in effect, personal web browsing is prohibited.
MITM Attack
The remedy for this vector requires user discipline to never:
- use USB charging ports for business digital devices when in public spaces
- use public Wi-Fi – 4G/5G connectivity should be used when outside the business network.
DDoS Attack
A web server is designed to ‘listen’ on a port for web traffic. In effect, a DDoS attack can always be made. There are ‘flavours’ of DDoS attack: some target the web server passing traffic to backend systems, and some target the application servers themselves. Essentially, they all seek to overwhelm legitimate requests for service.
The response to DDoS attacks should be to:
Deploy a web server with network monitoring capability to detect unusual traffic, block traffic from that source and continue to process. When very large DDoS attacks are made, the buffer of a web server may simply ‘flood’ and cause the web server to fail. Note, unless a small business has significance to sophisticated black hats, a massive attack is unlikely. Large businesses and businesses with a public profile should consider placing specialised network devices in front of their web server to cater for such DDoS attacks.
More expensive web hosting from large data centres may offer DDoS protection in their service delivery.
In the event of a DDoS attack, quick intervention to track, trace and report the event to Australian cyber security agencies (such as the ASIC and the Australian Cyber Security Centre [ACSC]) is vital.
Note, a business that experiences a DDoS attack should consider moving from hosting critical infrastructure to cloud-based web servers with reputable environments. These providers have network capacity to manage an initial attack and use network detection platforms to identify and block DDoS sources of traffic.
Zero-Day Exploit
The only effective way to manage the occurrence of a zero-day exploit on digital devices is to remain current with all software patches, and to actively research and network with the software suppliers and the broader cybercrime community. A business managing cyber security requires detailed and regular research to react quickly to a new exploit as soon as it is identified.
Importantly, being one patch behind the current patch is an effective way to:
- Not fall behind in patches so that, in the event of a zero-day exploit, there will not be considerable change or outages to operations in the business, as multiple patches are applied.
- Not leap at the latest patch as soon as it arrives. New patches have been known to contain bugs as well as new opportunities for exploits.
(Note, always take the advice of your company’s IT support staff when deciding on a patch strategy.)
SQL Injection
An SQL injection attempt, a common attack, can be blocked by software that acts to vet SQL exploits before parsing of data by the SQL handler on a database.
Hackers using this exploit rely on uninformed and/or poor cyber security management to succeed.
A professional database administrator can advise on the database-level actions to take to perform many of the functions anti-injection software delivers as well. Watch the video below for an example of SQL injection management:
DNS Tunnelling
A DNS firewall can be placed between a business’s firewall and the internet as an additional layer of security. A DNS firewall blocks calls from suspicious web domains to the business’s web-facing applications. It is possible to whitelist domains so that only the domains listed can see traffic to and from the business (synchronous). In effect, unless a domain name is in the list, users on the business network cannot access a website looking to DNS tunnel.
Importantly, user education to avoid suspicious or non-business-related websites is a primary defence.
Route Management
One of the most fundamental exploits is poor router management. Typically, in smaller businesses, a single router provides the connection to the internet. When the router settings are not configured appropriately, low-level hackers can gain access to a business’s IT platforms.
While less common today, some businesses do not encrypt traffic or require username and password authentication to log in. Many more use weak levels of encryption, as the router software is not updated – currently, this is using anything that is not non-WPA3-level encryption (e.g. WEP, WPA and WPA2). ‘WEP’ stands for ‘wired equivalent privacy’, and ‘WPA’ stands for ‘Wi-Fi protected access’. The original versions of this software are 20 years old.
Encryption stops packet sniffing to detect usernames and passwords, and sensitive data collection by hackers. Routers should also:
- change the default SSID (service set identifier) or access point name provided out of the box and hide its network name to stop scanning for networks
- trust only known MAC (media access control) addresses as whitelisted.
Depending on specific advice from network specialists, you may choose to accept automatic patch updates as well.
Effective Physical Cyber Security Protocol Combinations
The only effective parry to physical penetrations is training and secure zones. All staff should be made aware of the practice of tail gating and be watchful. Staff training should include awareness that screens can be read ‘over the shoulder’ and confidential information should not be read in public places (such as on planes and in cafes). Business policy should also note that, if any staff find a USB stick or other device, they should hand it to the business’s IT support personal. IT staff will make use of a test PC, which is unplugged from the internet/business network, to examine any suspicious device.
Security of server rooms, network racks and switches should be such that only authorised personnel can access the space for authorised work, as should all network cabling into the business be hidden or protected.
How a business maintains physical security of digital devices, including managing lost devices, should be clearly stated in policy and a part of any new employee induction. Monthly cyber security bulletins are an effective way to keep staff informed of changes and to re-enforce physical security messaging.
Note: As noted earlier, stickers and labels that identify a digital device’s actual network access route and drop (network location) should always be physically removed from the device.
Reading
Visit: Case studies - Industry sectors (nsw.gov.au) to read about examples of cyber security success stories.
Coupled with the specific solutions discussed in the previous section, there are best cyber safe practices that broadly interfere with many forms of cyber attack.
Account passwords are very often the target of hackers, and cyber security requires a robust password policy.
Password Policy
A model for protecting passwords should always include the following guidelines:
- A policy of using complex passwords is enforced, which stops the use of easily guessed words. Numbers and symbols (e.g. ‘!’, ‘+’, etc.) must be included at least once in passwords to add complexity.
- Password policy should stop re-use of passwords for a set time (e.g. 12 months).
- Passwords must be changed routinely (e.g. every three months).
- Effective password policy can be automatically implemented using security network administration software. On Windows, the group policy editor creates these conditions.
Note: In businesses running SSO (single sign-on), the admin burden on users is reduced, as they manage a single password only.
Digital Device Use and Access Policy
In addition to a strong password policy, digital device use and access requires a detailed approach to remove exploits that hackers can use.
As an overarching policy, the use of digital devices should be restricted to the following guidelines:
All devices must run anti-malware software.
Devices are used only for business purposes, and web surfing should be prohibited. This requirement is necessary as some websites – including social media platforms – have embedded links and processes, creating opportunities for penetration of a business’s IT platforms.
Lost devices must be reported immediately.
All mobile devices should use 2FA. Local area network devices are attached using cables and are within the firewall. It may be that only stakeholders with access to sensitive information are required to access systems using 2FA or multifactor authentication (MFA).
USB or portable storage devices are not used.
Public Wi-Fi and charging are never used.
On the database, key areas are encrypted to ensure unauthorised and direct access cannot read data in clear text. This, however, adds a processing burden to the database and encrypting only critical information is advisable. Always take the advice of your database admin when considering encryption on the database.
Regular and planned patching of digital devices in accordance with local business policy should always be undertaken. For system and network assets, cyber security policy will dictate when and how patches are applied – as a recommendation, this should be after testing to ensure a patch does not interfere with operations. For user assets such as phones and laptops, patches should be auto-configured to install outside normal business hours.
Access restriction is based on roles. In effect, any user has access only to the areas of the online/digital business application and infrastructure needed to perform their roles. On Windows networks, the organisational structure is replicated in the Active Directory, which facilitates application access. On an application level, with or without SSO, users are granted access by the application admin (such as the case with SAP [Systems Applications and Products] software). On mainframes running IBM software, RACF (Resource Access Control Facility) and ACF2 (Access Control Facility 2) are two common role access admin tools. Policy should be created that explicitly addresses what the business expects of mobile device users (such as reporting thefts and unusual activity).
Policy is created to address threat concerns from data in transit – such as sending digitally sensitive documents using the internet. In these cases, documents should be encrypted, with a password required to open them, and data transfers should use File Transfer Protocol Secure (FTPS) using a service providing validation. Furthermore, for sensitive documents, always consider whether sending by fax or secure courier is a safer alternative.
A policy is established to mitigate potential threats associated with data residing in third-party applications. When dealing with digitally sensitive information within these applications, encryption becomes paramount. All data should be encrypted, and access to it should require a secure and unique password. Additionally, the use of applications that implement robust security protocols, such as end-to-end encryption, should be prioritised.
Business digital devices are prohibited from accessing non-business-related websites and apps – including social media sites
Firewalls should block ports that are not required or a known vector of attack, such as secure shells and remote access ports (e.g. Telnet 23, FTP 21, SSH 22).
A VPN should be used at all times when connecting remotely to the business, and under no circumstances should computer support that is not provided by the business be used. All requests by third parties for remote access should be refused.
Reading
Read the article below to learn about password policy for Windows 10: ‘Password Policy’ from Microsoft
Case Study
In case study ‘Making a Digital Registry’ the general manager (GM) performed an audit of ACE Pty Ltd’s digital devices.
They found the following patch levels across the devices:
- Win 10 21H2 – Five computers
- Win 10 20H1 – One computer
- Latest Canon patch applied – One printer
- Latest Epson patch applied – One printer
- Android 12 – Three mobile phones
- Android 10 – One mobile phone
The latest version of Windows is not loaded to all computers, and the latest version of Android is not loaded to all mobile phones. The business policy is to always upgrade devices to the latest full version and stay back a release from the latest patch.
From this information the GM can see that one PC must be upgraded to 21H2 and one mobile phone upgraded to Android 12.
Tip
Individual user devices, such as phones, can be configured to automatically or prompt the user to patch/upgrade, as can Windows PCs. This can be set to occur when devices are started up. That said, when patching critical infrastructure, it is advisable that test and release processes be undertaken to ensure continuity of service.
While a best practice, encryption is a broad subject and deserves individual focus. Encryption is, as the name suggests, the scrambling of information to make it illegible without corresponding decryption.
Encryption is applied to two distinct types of data: network traffic, and information data.
Encryption aims to ensure that only an intended recipient can read message traffic. If the data is intercepted by a malicious third party, the effort to ‘unscramble’ the information is very great and time consuming. No encryption is 100% perfect, and very high-end actors can decrypt data over time.
Small and medium businesses are not typically the targets of these high-end actors. Big businesses should assume that they could be a target and ensure that highly valuable business-critical information is not sent digitally.
Network Traffic
HTTPS, the secure protocol for the transmission of internet traffic, uses encrypted packets of data that are decrypted at the target destination. Both the user’s browser and the receiving server share a common and agreed key (swopped when the network conversation starts). The key refers to the algorithm used to encrypt the data and describes how to unlock the data and descramble it into clear text form. The most common algorithm is called DES (digital encryption standard), and this complex mathematical device generates the key.
Information Data
The files and databases can themselves be encrypted to ensure that, in the event of a breach, the data is illegible without using the corresponding workflow to decrypt the data. If data is stolen, it will take literally decades to unlock the data – which makes the data useless.
Applications (such as Adobe Reader Pro) provide facilities to encrypt files. As a part of the process, a password that acts as the key is embedded into the document. Sharing this password with the recipient through secure means allows the recipient to unlock the file.
Database encryption shares similarities with file encryption. The SAP system uses a master key, called the ‘KEK’ (key encryption key), to scramble the database – the database schema or structure is maintained and only the data is illegible. The SAP process requires a password to be used to trigger the creation of the KEK. After encryption, the system uses a task called the ‘AES’ (Advanced Encryption Standard) to act as the gatekeeper for application requests from SAP users to access information – to access the information, the password is required.
SAP AES allows for all, part or specific columns in a database to be encrypted. This is because, as a rule, only sensitive and confidential data should be encrypted. An entire database that is encrypted will perform poorly, as the encryption/decryption process adds significant processing overhead.
Note: Once data is legible, unencrypted data should not be stored locally as this then defeats the purpose of the protection.
Watch
Practice
Practtise encrypting a Microsoft Word document: Protect a document with a password - Microsoft Support
Throughout this topic, there are references to mobile device best practices in cyber security. To gather these points for the basis of a single policy for mobile devices (phones/laptops), the following elements can underpin a mobile device policy:
- In the event a device is lost, report the loss immediately to the business.
- Never store data on the device or use USB/portable data storage.
- Never install apps and other digital tools on the device.
- Report any unusual activity on your device to the business.
- Always allow the resident anti-malware to operate as is required.
- Always use the company VPN when logging on outside the network.
- Use the device only for business purposes.
- Ensure all requests to patch the device are accepted when they occur.
- Ensure passwords are changed when requested to do so.
- Use only 4G or 5G when outside the business network, and never charge the device using public USB charging.
- Protect your screen from third-party viewing when working with business data.
Quiz
