A business will have a variety of digital devices in use to support its operations. Personal desktop computers, information technology (IT) servers, mobile phones and laptops connect to a business’s network and can hold significant amounts of sensitive data while providing entry into a business’s critical systems. Identifying and creating a registry of digital devices is a significant part of a business’s cyber security delivery to allow data security and access control.
By the end of this topic, you will understand:
- The full range of digital devices that can connect to a business’s strategic systems
- Digital device registries and their contents
- The role of risk prioritising in classifying devices to select the appropriate security protocol
What is Cyber Security?
Cybersecurity is the practice of protecting computer systems, networks, and digital information from theft, damage, or unauthorized access. It encompasses a wide range of technologies, processes, and practices designed to safeguard digital assets and data.
Watch
Watch the video below from Murdoch University to find out more about why cyber security is more important than ever.
Digital Devices
In managing a business’s cyber security, a useful definition of ‘digital devices’ is items that use technology to perform a function and are connected to a business’s network. On first look, identifying digital devices may seem simple. In any business, the personal desktop computers, laptops and mobile phones used operationally are certainly digital devices. On closer inspection, the spectrum of devices in a business is broader. Consider the USB (universal serial bus) sticks, portable hard disks and the printers in your office. All these devices connect to a business’s network.
Any device that connects to a business’s network has the potential to be exploited to facilitate access to malicious agents. In effect, they open a business to be ‘hacked’. Furthermore, digital devices often store valuable confidential business information. Ensuring that a business knows what devices connect to its network and what is stored on these devices is a fundamental cyber security routine.
The Internet of Things
The Internet of Things (IoT) has opened a next level of network connectivity. In effect, the idea that a digital device is a form of computer is now incorrect. Everyday objects such as microwaves, televisions and even wearable fitness devices provide connectivity using internet communication protocols such as TCP/IP (Transmission Control Protocol/Internet Protocol) and Bluetooth. In effect, IoT devices can be controlled remotely as a part of a network.
A whiteboard used to be just a whiteboard, but now, an IoT-enabled whiteboard is able to interact synchronously with the wider set of digital devices across a business by being a part of a business network.
Watch
Watch the video below to learn more about the concept of the Internet of Things:
The Need for a Registry
In the early computing era of the 1940s and 1950s, computers were standalone. Processing data and creating reports, computers were not part of an integrated network. At this time, data security was focused on physical information security. For example, the paper reports of data runs or copies of data on physical tape reels were guarded. A data breach occurred when a human acted to remove the information from what was a secure facility.
Networking changed the requirements for data security. Not only could data be copied over the network, but it could also be deleted or encrypted to stop a business operating. Critically, networks allowed remote access. This created a new vector of attack that could be exploited by malicious third parties.
Networking also allows devices to ‘roam’. With employees working from home over laptops and phones, devices exist outside the primary internet security of a business – typically a firewall. Not only is there a vulnerability for illegal access to a business’s network, but there is also the potential that devices can be lost. When a member of staff loses their business phone, the business data that was on the phone is lost with it.
Knowing what devices connect to a network allows for better addressing of cyber security issues, including the:
- itemisation of the business data that the devices contain
- itemisation of methods of network connection that a device uses
- classification of the device type – who is responsible for the device, and what the device is (software/ hardware).
Having a registry of digital devices enables planning for maintaining cyber security, and being prepared to act in the event of a security breach.
MAC Addresses
On any network, every device will have a unique MAC (media access control) address. The MAC address provided to a device is a 48-bit or 64-bit number that is designed to be complex so that the chance of two devices on the same business network having the same address is virtually nil.
A digital device registry should include the MAC address of each device listed. The international standard for MAC addresses is maintained by the Institute of Electrical and Electronics Engineers (IEEE). Large businesses looking to ensure the MAC addresses on their network are globally unique can purchase custom blocks of MAC addresses from the IEEE, rather than rely on the native MAC addresses loaded to the devices they purchase.
Watch
Watch the video below to learn more about MAC addresses:
MAC Spoofing
It is possible to change a MAC address on a device. Relying on allowing only devices with a range of MAC addresses is not a successful cyber security model. Rather, it can be a part of a wide range of defenses to build an in-depth approach to cyber security. Changing MAC addresses is a technique called ‘MAC spoofing’.
Vectors
In cyber security, the concept of a vector is the principle by which all security breaches are facilitated. A vector is the method that a third party uses to illegally gain access to private information to exploit a business’s or private citizen’s technology for any means – financial gain or malicious intent.
The range of vectors is broad and spans from physical to technology exploits. Some vectors are well known, such as using an authorised person’s user ID and password (their identification/authorisation pair) to gain access to a system. Some vectors are less well known. A physical vector employed by third parties looking to gain access to a business’s IT systems is to leave unbranded USB sticks in company car parks. When the curious staff member plugs the USB stick into their computer, an exploit is opened, allowing a malicious third party to access the activity on that PC. This can include key trapping the actual username and password of the user to gain access to the business’s backend data.
Legal and Code of Conduct Responsibilities
Beyond ensuring a critical step in creating a business’s cyber security envelope, there are direct regulations and indirect codes of conduct requirements for cyber security in Australia. The legal framework for cyber security extends further, and the compliance requirements noted here pertain only to the need for creating a digital device registry.
Direct Regulations
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and the Privacy Act of 1988 (Cth) require businesses to inform the Office of the Australian Information Commissioner (OAIC) when personal information has been accessed by unauthorised third parties. According to the OAIC, this occurs when:
- a device with a customer’s personal information is lost or stolen
- a database with personal information is hacked
- personal information is mistakenly given to the wrong person.
According to the 2017 amendment in the Privacy Amendment Act, Division 3, subdivision A:
(2) The entity must:
(a) carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity; and
(b) take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware as mentioned in paragraph (1)(a).
Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)
The entity in this case is the business that has had personal data of individuals exposed. To be organised and able to identify the source of a data breach and respond with an ‘expeditious assessment’, a business should maintain a device registry.
Furthermore, the Privacy Amendment Act requires businesses to inform all individuals affected by a data breach likely to do serious reputational harm.
Without a device registry, fundamental information as to the source of a breach is not readily at hand and can, in the case of a company, constitute a breach of care and diligence under the Corporations Act 2001 (Cth), which makes company directors personally liable. As the penalties for privacy breaches for individuals and businesses range from tens of thousands to millions of dollars, ensuring best practice cyber security and maintaining a digital device registry is critical.
All Australian businesses with a turnover of more than $3 million and/or are involved in the finance, health or contract with the government must comply with the Notifiable Data Breaches amendment to the Privacy Act of 1998.
Indirect Codes of Conduct
The Australian Securities and Investment Commission (ASIC) maintains the voluntary ‘Cyber Resilience Good Practices’ code of conduct. Within the code, there is a direct reference to maintaining a centralised digital device registry: ‘Asset inventories for hardware, software and data, both internal and external to organisations, are managed through a centralised asset management system.’ A digital device registry is a central plank of a best practice cyber security approach.
While the ASIC code is voluntary, when considered in the light of the direct regulations discussed previously, it is advisable for businesses to follow it. As Australia’s business oversight and regulatory enforcement agency, ASIC’s advice, when followed, demonstrates a business has adopted a best practice approach.
Reading
- ASIC’s code for best practice cyber security can be found at the following link: Cyber resilience good practices | ASIC
- Regulations exist that criminalise ‘hacking’ as well – the Cybercrime Act 2001 (Cth) being one such example. Federal Register of Legislation - Australian Government
- Visit the website to understand examples of requirements of guidelines for the use of ICT equipment in a workplace: Guidelines for ICT Equipment | Cyber.gov.au
The device registry is a key cyber security resource. The registry is one of the resources a business requires to build a viable cybersecurity model.
Creating a Digital Device Registry
Creating a digital device registry is a time-consuming task. Considering that a typical business has numerous devices of various types, with a range of hardware and software configurations, there is more to the process than simply itemising each device. For example, a registry needs more information than an entry, such as the number of PCs in the head office.
A registry needs to list a minimum of six points:
- Location/device owner – This itemises the literal physical location of the device or the person responsible for the device.
- Device name – This provides a unique common name, such as ‘office printer’ or ‘home laptop’, to identify the device.
- Type of computer/device – This relates to the hardware and software of a computer/ device. This assists in the application of software patches to keep devices up to date with the latest functional and cyber security software.
- Device MAC address – All digital devices on a network will have a unique MAC address. This should be recorded as the unique identifier. MAC addresses are translated into IP addresses on a business network. Depending on where a device is plugged in (e.g. which specific wall port it is cabled to), the IP address can change; however, the MAC address remains unchanged. Once the registry is complete, it is possible, through inclusion of the MAC addresses identified, to exclude any MAC address not in the registry from accessing the business network. On a firewall, this is called ‘MAC filtering’.
- Method of access – Is the device connected to the business network after validating a username and password? Does the device require a virtual private network (VPN) to connect?
- Patch level and data held – Business policy typically requires users to rely on networked data access rather than local storage, although local storage of sensitive information can occur. Regardless, depending on the applications on the device, the range of data that can be accessed varies. This is especially true when devices are used by one team or an individual in a business. Consider, for example, a PC used by the accounts team. This PC may store local data about the business’s clients. A PC on a shop floor may contain parts inventory information.
There may be other fields a business wishes to add, such as valuation of the device. For strictly cyber security purposes, the six fields listed are the minimum requirements for the registry. Note that USB sticks and portable hard disks, while digital devices, do not have MAC addresses, and in a digital device registry, their MAC address field should be empty. Only devices with a network interface card (NIC) have a MAC address.
Depending on the size of the organisation, the approach to cataloguing digital devices will vary. In a small business with a single location and limited mobile devices, it is sufficient to methodically audit each device. The audit is often done by IT staff.
In bigger organisations, referring to the asset inventory in the business’s finance and accounting package may be the first step. As bigger companies may have multiple locations, creating a registry of devices will likely be performed by more than one person, although managed by a single role, such as the IT security officer.
The objectives in both cases remain the same:
- Create a list of the digital devices connected to the business network.
- Identify their working hardware and software, and how each device is attached to the network.
- Identify the data that each device stores and the role the data plays in the business.
Achieving these objectives means that each device can be assessed for its risk level for a data or access breach, and the threat the risk poses to the business.
Follow these steps to create a digital asset registry:
Ensure business stakeholders are supportive of the activity.
Identify the locations and people required to perform a complete review of the digital devices in a business – this varies according to the business size.
Refer to business policy as to what is and what is not an acceptable device to connect to the network. If no such policy exists, consider writing such a policy before creating the registry. The process of reviewing devices can then also identify any devices that should be removed from the network.
Document each digital device’s characteristics in the digital device registry. Ensure the information contains at a minimum the six data points referred to in this section.
Set a viable amount of time to create the registry. The time taken should not be too long but should be enough to capture a snapshot of all the digital devices in a business.
Date the registry and plan for cyclical updates.
As noted previously, cataloguing in detail the range of digital devices in a business, big or small, requires time and effort. Furthermore, it requires the cooperation of people across the organisation. As a result, before undertaking the exercise, it is important that senior stakeholders in the business are aware of the requirement and support the process.
Business stakeholders should always be engaged with, and briefed on, any cyber security initiative. Their support ensures cyber security policy, processes and behaviours are a requirement in the workplace and greatly assists in establishing a culture of thinking about information security and access.
Explore
Visit the website and download the Digital Asset Register template to understand more about creating a DAR:
Develop your digital technology assets register|Digital Transformation Hub
Important
Given the contents of the device registry, the registry is strictly business confidential. Protecting the device registry to allow access to only authorised personnel in a business is essential. A registry is typically a spreadsheet, and if a registry is compromised, this constitutes a significant cyber security breach.Case Study
The general manager (GM) of ACE Pty Ltd, a small business, is undertaking the creation of a digital device registry.
The business is run from a small office and has a staff of six. The business specialises in the sales of roofing tools for construction. Of the six staff, three are in sales (referred to as S1, S2 and S3 in the following table) and are often on the road, one is in warehousing (referred to as W1), and one is in IT.
The business has a digital device policy that notes that no personal mobile devices are to be connected to the business network. Furthermore, the use of USB sticks and external hard disks is prohibited, and all data must be updated/uploaded to the business’s data cloud. No business data is stored locally on any device. The three sales staff connect to the business’s ordering system to log orders from clients.
The warehouse staff member connects to the ordering system to see what is needed to ship and track orders. The GM connects to the ordering system for reports on sales and connects from home to the ordering system. Over a two-day period, the GM reviews all the digital devices in the business and creates the following table:
| Location / Device Owner | Device Name | Device Type | MAC Address | Access Method | Path Level |
|---|---|---|---|---|---|
| Office / GM | GM's desktop PC | Computer | 64-63-37-4F-7E-B6 | Username and password authentication | Win 10 21H2 |
| Office / GM | GM's printer | Printer | BC-3F-1F-4D-60-82 | Auto correct | Latest Canon patch applied |
| Mobile / GM | GM's phone | Mobile phone | D8-BE-AB-E4-B2-C6 | Username and password authentication VPN | Android 12 |
| Mobile / GM | GM's laptop | Computer |
2E-4D-FD-E9-4D-E7 |
Username and password authentication VPN | Win 10 21H1 |
| Mobile / S1 | S1's laptop | Computer |
C3-1E-FO-8F-E8-5D |
Username and password authentication VPN | Win 10 21H2 |
| Mobile / S1 | S1's phone | Mobile phone | 0A-66-4B-BB-52-4A | Username and password authentication VPN | Android 12 |
| Mobile / S2 | S2's laptop | Computer |
AO-BC-D4-9D0D-C8 |
Username and password authentication VPN | Win 10 21H2 |
| Mobile / S2 | S2's phone | Mobile phone | 9A-AD-7A-87-9F-EF | Username and password authentication VPN | Android 12 |
| Mobile / S3 | S3's laptop | Computer | 98-88-CA-97-D2-07 | Username and password authentication VPN | Win 10 21H2 |
| Mobile / S3 | S3's phone | Mobile phone | 2F-2E-62-76-85-CB | Username and password authentication VPN | Android 10 |
| Warehouse / W1 | W1's desktop PC | Computer |
A6-6C-56-85-71-81 |
Username and password authentication VPN |
Win 10 21H2 |
| Warehouse / W1 | W1's printer | Printer |
9D-6C-F2-1C-94-F9 |
Auto Correct | Latest Epson patch applied |
During the review, the GM finds that one sales staff member used a USB stick to back up orders. This practice was discontinued. The GM finds no business data was being retained on digital devices.
The GM provides the MAC addresses to the company’s IT consultant, who updates the firewall and creates a ‘whitelist’, a list of MAC addresses allowed to connect to the order system.
The GM schedules a review of the digital device registry in three months.
The GM notes that all the devices connect to the business network and access the order system using a username and password. Furthermore, before logging on, users open a VPN, which encrypts the data between the user and the business’s network.
Note: A ‘patch’ is a small update to a computer’s or phone’s operating system, such as iOS (iPhone Operating System), Windows or Android. An ‘upgrade’ is a release that significantly changes the entire operating system
Reading
A part of cyber security remote operations, VPNs protect businesses from ‘packet-sniffing’ software, which can intercept data traffic and rebuild messages and data sent. A ‘packet’ is the smallest amount of data sent on a network – hence the name. Read the article below to learn more about VPNs:
Practice
On a personal computer running Windows, the MAC address can be found by opening the command window as the administrator and entering ‘ipconfig/all’. The MAC address for that PC is the values, typically six sets of two hexadecimal numbers, listed as the ‘Physical Address’. Often, other devices will have paper documentation or even stickers on the device noting the MAC address. In this case, once the MAC address is noted, the sticker should be removed, as this information could be exploited. Using your MAC or PC, access the MAC address using this tutorial:
Maintaining a Device Registry
Without periodic updating of the digital device registry, the contents of the registry will become out of date. Whenever devices are removed from the network for any reason, or new devices added, the business policy should ensure that the group or individual maintaining the registry is informed. This is often the person responsible for IT in a business.
Changes occur over time in the devices a business uses due to:
- new equipment purchases replacing redundant or failed digital devices
- purchases of entirely new equipment
- old equipment being sold or retired
- devices, especially mobile devices, being lost or stolen.
To manage the recording of these changes, aside from lost or stolen devices, a business’s procurement policy should ensure as part of the process that changes in equipment are recorded.
When devices are lost or stolen, the business’s mobile devices policy must describe the process for reporting a missing device to the business. All businesses should have a policy describing the allowable and prohibited use of mobile devices supplied to staff. When digital devices are lost, early reporting allows a business to react to the loss, to quickly assess the potential impact on cyber security – as well as manage insurance and claiming any loss.
While policies can be put in place to ensure the digital device registry stays current, there are instances when policy may not be followed, and the registry becomes out of date.
When this happens, not only does it increase the potential for security breaches, but non-registry-listed devices often will not be maintained with the latest local cyber security protection.
To manage the currency of the registry, the registry keeper should:
- Check with procurement in a monthly business meeting to discover whether there has been procurement of digital devices and to ensure any new device has been added to the registry.
- Have the IT group run a weekly report to list all the MAC addresses on the businesses network. A MAC address included in this report but not the registry is considered an unknown device and should be removed from the network. The process of compiling the report and comparing it to the register to identify unknown MAC addresses can be automated by competent information technologists.
Typically, when a device is removed from the network, IT support or the appropriate support person is notified. Why the device was connected and what the device is can then be determined.
Tip
It is possible to set up a mobile phone to facilitate remote disabling and data deletion. In the event a phone is lost, the device can be rendered clean of business data.
For Android phones: ‘Find, Lock, or Erase a Lost Android Device’ from Google Account Help: Find, lock, or erase your lost Android device - Google Account Help
For Apple phones: ‘If Your iPhone, iPad, or iPod Touch Is Lost or Stolen’ from Apple: Find your lost iPhone or iPad with Find My - Apple Support
Note: This is a last resort, and you should always refer to the latest advice of your phone’s operating system supplier or handset manufacturer.
Using USB and Portable Storage Devices
As noted in the case study ‘Making a Digital Registry’, a sound cyber security policy excludes USB sticks and portable hard disks from the set of authorised devices. While they can be convenient, cloud storage with file management is equally convenient and typically, in quality cloud storage solutions, has a secured environment that blocks unauthorised access.
USB and portable storage devices provide a vector to connect malicious software hidden on these devices to a business’s network. For example, a USB stick may contain network access software to allow external access first to the USB stick and then to the host PC.
Furthermore, when a business uses USB and portable storage devices to move and store files, the risk of data loss from a device failure, and the risk of devices being stolen are real cyber security vulnerabilities. As such, it is advisable that businesses use a reliable cloud service and not include USB and portable hard disks in the list of allowable digital devices.
Reading
It is possible to access a laptop using USB when a device is being charged using the USB port. This is called ‘juice jacking’, and a best practice is to avoid using USB charging stations at airports.
Read the report below for explanation: ‘Cyber Security in Focus: The Vulnerability of the USB Port’ from Saab
Cyber security in focus: The vulnerability of the USB port (saab.com)
Watch
Watch the video below to learn how ‘juice jacking’ works and the vulnerability it creates. In effect, a USB carries power and data at the same time, and plugging in a device allows charging and can facilitate third-party actors to access the digital device:
Activity - Mapping digital devices
Case Study
Lost Digital Device
One of the sales staff at ACE Pty Ltd reports they have lost their phone. The GM identifies the phone in the asset registry and disables access to the phone remotely. Using the MAC address of the phone, IT support staff exclude the phone from accessing ACE’s network.
A new phone is provided to the sales staff. As the sales staff use best operational practices, the old phone’s contact list, which was stored on the cloud as backup, is loaded to the new phone.
The sales staff are trained not to send emails direct from their devices and not to use SMS for confidential business communications. As a result, the time it took from the phone being lost to the phone being disabled did not allow a third-party actor time to exploit the confidential data.
Data Policy and Exceptions
Ideally, a business should not allow business data to be held on digital devices. As in the case study ‘Lost Digital Device’, any data exposure can be exploited, resulting in a degree of business loss. It is recommended as a matter of policy that:
- No business data is store on digital devices.
- Digital devices do not retain stored user ID and passwords allowing third parties to access business software if they have illegally obtained a device. In effect, users must always log on to systems and cannot use browsers or Windows/Mac systems to remember user IDs and passwords.
- Email is read online through a secure browser, and no business emails are stored locally. If a device is lost, no one will be able to read emails on the phone or laptop as they are not stored on the device.
This is ideal. However, a business may decide that some business data, for convenience, can be stored on digital devices, as the data is not business critical. Also, especially on mobile phones, contact lists and SMS traffic are stored locally by default. (There are third-party applications that claim to perform encryption of contacts and SMS messages. However, they are outside the Android native architecture and should be looked at very carefully before use.)
So, for reasons of efficiency and operational reality, digital devices may contain some business data. However, under no circumstances should highly sensitive data be outside the cloud and stored on digital devices as a matter of policy. Furthermore, SMS traffic should not reference sensitive business information. Business policy should stipulate a range of communications that should be used depending on the data to be carried. For example, emails with encrypted documents may be required to ensure only an intended recipient receives the document.
Watch
The IBM Cloud allows for enhanced data security. Watch the video below to learn how the IBM Cloud acts to secure a business’s data:
Reading
Visit: List of Data Breaches and Cyber Attacks in Australia 2018-2023 (webberinsurance.com.au) to see a list of company data breaches in Australia.
And: Case study: When a hacker destroys your business - CIO to read about one organisation’s experience with a data breach.
In the case study ‘Making a Digital Registry’, the GM of ACE Pty Ltd performed an audit to create a digital device registry.
While the device registry was complete for the devices staff use, the registry did not address the systems and network infrastructure the business relies on. For a business such as ACE with a central ordering system that the staff log on to, digital devices such as the following will also exist:
- 1 x server running web server and firewall, with an order system as a database and software
- 1 x network access point with internet connectivity. These devices require a higher level of oversight and cyber security focus.
The business’s core sales/distribution, accounting, stock management and human resources/payroll modules run from the server with connectivity facilitated by the access point.
While the loss of a laptop, phone or desktop PC is consequential, recovery to maintain effective cyber security in a business is not threatening to the business’s operation.
If any of the following happen to ACE’s server, ACE’s business operation will be severely interrupted:
- The server is physically stolen.
- The server’s web server is remote accessed, and data is encrypted on the database with ransomware.
- The server’s network suffers a distributed denialof-service (DDoS) attack on the application server, flooding it with access requests.
Critical infrastructure provides a vital business function that, if breached by hackers, threatens the business’s operation.
When securing critical network and server infrastructure, such as ACE’s IT servers, always:
- Ensure the servers are included in the digital device registry.
- Ensure the data that is on the devices is fully identified - for example, where the marketing resources are held (on the database server).
- Ensure that protocols for security management are highest for critical resources and, in the event of a breach despite active layers of protection, there is effective contingency to recover quickly with minimum disruption.
- Prioritise devices based on their role and the data they contain - 'prioritise' meaning to apply higher levels of physical security, policy and procedure requirements, and software management (such as patch application).
Businesses will have limited cyber security budgets and personnel, so prioritising where effort and resources are applied in building a cyber security environment ensures that high-risk assets are identified and receive the most attention. Critical infrastructure will be a more valuable target for hackers, and prioritising business servers and network assets focuses attention on where penetration attempts are more likely to occur. For example, it is more attractive to access a business’s client database than a single PC (which is non-critical to the overall business operation).
Case Study
High-Priority Security Breach Management
After a weekend, the GM of ACE Pty Ltd opens the office and finds the server has been stolen.
Recognising the complete loss of the system:
In parallel to making a police report and ensuring the cause of the break-in is rectified, the GM instructs ACE’s IT support to arrange for replacement hardware and to reload a backup of the server. ACE incrementally backs up the server nightly and fully backs up the server weekly. The last full backup was last weekend. IT will load the last full back up, then roll in incremental backups to update the system to the close of business on Friday.
The GM discovers this will take for four hours and informs all staff. In the interim, they are instructed to perform housekeeping duties. Over four hours later, a new server has a system backup restored.
The status of the stolen server:
As policy, no financial information (such as credit card details) is kept on the server, and the order system requires two-factor authentication (2FA) to log on (the GM receives a message to their phone). Furthermore, the order system database has been configured to encrypt any personal information (such as client details).
The GM ensures client data cannot be compromised further and the cyber security gap is closed.
The GM contacts the Office of the Australian Information Commissioner with the circumstances of the breach as there was sensitive personal data on the server.
The GM communicates with individuals who had personal data on the server and advises of recommended steps they should take. The GM ensures the OAIC approves of the format of the communication to individuals who must be informed of the breach.
Watch
A DDoS attack is designed to disrupt operations rather than steal data. Watch the video below to learn about DDoS attack methods:
A device registry is a map of a business’s digital devices. It describes the potential attack surface that third-party actors can exploit to gain access to a business’s IT infrastructure. By allocating priorities to device types, effort and finance is spent on securing devices that pose the greatest threat to a business.
Tip
A digital device registry should be paired with a software registry of the approved business applications in use. In a small business, there may be more variety across devices than in big companies, which typically clone software and install the same packages across devices.
A software ledger for each device allows for quick identification of unauthorised software.
Reading
Visit this website to read about patch applications:
A security protocol is a hardware or software method to provide cyber security. Depending on the cyber security risks a business must manage, there is a range of protocols that can be deployed. Why not simply apply the maximum strength protocol to all digital devices used in the business?
There are three limitations that influence the scope of protocols available to a business:
- Cost – There is a cost to providing cyber security, and depending on the business, budgets vary.
- Practicality – Adding security does not improve speed and productivity. It is typically a choke point on business operations, and high-end cyber security may be impractical for day-to-day
- Need – Desktop PCs on the business’s network can have simpler forms of protocols (such as login/password access), while mobile phones outside the network require multiple authentication methods. Depending on the device, the protocol varies accordingly operations.
The principal of cyber security is to protect the CIA of a business:
C - Confidentiality of a business’s data
I - Integrity of the data from unauthorised changes
A - Availability of the business’s data to ensure operational continuity
This is known as the CIA triad in cyber security and simplifies the reasons for the measures taken to provide a secure digital environment.
While not exhaustive, the following table details common and powerful digital assets for use in developing cyber security protocols for digital devices:
| HTTPS |
|---|
|
‘Hypertext transfer protocol secure’ (HTTPS) applies to internet browsing, where data is sent to and from a web server in an encrypted format. It ensures that an intermediate third actor cannot read the data being sent. There are fine technical details – such as the use of digitally signed certificates – however, the important consideration is that HTTPS facilitates secure traffic from mobile and fixed digital devices to a web server. |
| Firewall |
|---|
|
A firewall acts to ensure only data traffic for authorised applications will be processed. Positioned in front of an online application, traffic connecting with the firewall is required to use ‘open’ ports on the firewall. All internet-facing software uses a web server that ‘listens’ for data using a unique port. Port numbers range from 0 to 65,535; however, well-known ports range from 0 to 1023. For example, HTTPS traffic uses port number 443. To see how this works. type https://www.google. com:443 into a browser. Note that the Google website appears with or without ‘:443’. This is because HTTPS at the front of the URL (Uniform Resource Locator) assumes the port should be 443 and adds this to the data being sent without the user knowing. Firewalls restrict traffic by opening or closing ports. |
| VPN |
|---|
|
A virtual private network establishes an encryption layer that overlays a communication between digital devices. While a VPN acts as additional encryption when using HTTPS web portals, a VPN shields the user’s activity from the internet service provider (ISP). In the case of other application activity, such as using mobile phone apps, a VPN may be the only encryption mechanism. Businesses with remote agents must require remote logon with a VPN environment to ensure data is always encrypted. Watch the video below to learn more about VPN operations: |
| Antivirus/Anti-Malware |
|---|
|
Most people are familiar with antivirus software. Running in the background on a digital device, the software relies on a library of known viruses and malware (short for ‘malevolent software’) types. Searching through browser and application requests, this software first compares such requests with known viruses. Most people are familiar with antivirus software. Running in the background on a digital device, the software relies on a library of known viruses and malware (short for ‘malevolent software’) types. Searching through browser and application requests, this software first compares such requests with known viruses. |
| 2FA |
|---|
|
Two-factor authentication ensures that, aside from a username and password, a user must enter a code sent to a trusted second device. This is typically a mobile phone. An application can be configured to require 2FA when accepting a login. For additional security, multifactor authentication (MFA) requires two or more additional security checks aside from a username and password. Here are five fundamental aspects of Two-Factor Authentication (2FA) with explanations:
By combining these fundamentals, 2FA creates a robust authentication process that significantly strengthens the security posture of systems and accounts. It's an effective measure to protect against various cyber threats and unauthorized access. Visit the link below to learn more about MFA: |
| Keygen |
|---|
|
WA form of 2FA, a hardware key generator (keygen) must be used by a user to create a number that, for a short space of time, ‘unlocks’ access and allows them to log in. The keygen is usually a small device, typically attached to a user’s car or house keys. The key is a number, often six digits, that is entered alongside a username and password. The technology relies on a shared public and private key cryptography. Cyber security has been moving away from hardware-based key or token generation and instead relies more on software-based authentication. All are forms of cryptography. |
| Cloud Data |
|---|
|
As discussed, the best way to manage the risk of a security breach resulting in the loss of data from a digital device is to not keep sensitive data on the device. The concept of cloud data storage can be dated back to the earliest computers, where terminals rather than personal computers were in use. A terminal is a ‘dumb’ device and acts only to pass traffic to and from a user and remote software. Terminals relied on cloud data stored remotely. As a return to this philosophy, storing business data for read/write operations externally from digital devices is a strong cyber security model to follow. |
Each of these protocols can be categorised as satisfying contribution to cyber security to ensure CIA to systems and data. They do so by limiting the risk that an unauthorised ‘actor’ will seek to access and compromise a business’s operational IT systems.
Actors
A formal term, the word ‘actor’ has been used to describe third parties looking to exploit IT vulnerabilities. The following are common types of actors who seek to access business systems illegally:
- Script kiddies – It is possible to buy hack tool kits online that use common exploits. As simple to use as a toaster, such kits are typically unable to gain access to IT systems that have a coherent cyber security policy requiring digital devices be updated with the latest security patches.
- Black hats – Black hats are deeply immersed in cyber security and typically belong to networked crews of people who actively research, find and use new exploits to gain access to IT systems. Their targets are typically large corporations. Reasons for attacks include:
- locking systems to require payment (usually in Bitcoin) to allow normal business to continue – a financial gain
- threatening to publishing sensitive data or destroy systems – for a financial gain.
- Hacktivists – A form of black hat, hacktivists typically have a political agenda and often steal and publish sensitive data to support a change agenda.
Reading
Visit the website below to find out about the term ‘actors’ in regards to cyber security threats:
Case Study
Attack on an American Pipeline
Read the article below for the background story of how a black-hat hacking group stopped the flow of fuel along the largest pipeline in America. The pipeline was operational only after $4 million was paid to the black-hat group behind the cyber-attack.
Colonial hack: How did cyber-attackers shut off pipeline? - BBC News
Prioritising Cyber Security Effort
The GM at ACE Pty Ltd manages digital devices cyber security based on two levels of requirement:
Normal device protocols: All mobile devices require 2FA and must run the latest antivirus/anti-malware software. Access is facilitated over a VPN and passes through a firewall to the online ordering system. The ordering system requires a valid username and password. All data not in the ACE ordering system must be stored on the ACE secure cloud.
In Ace’s case, ‘normal devices’ are the devices that communicate with the backend ordering system
High-priority protocols: Data that is commercially sensitive, or clients’ personal information, is encrypted in the database and requires decryption on the user side to view. Access attempts outside ACE’s cyber security policy (such as using VPNs) are logged as possible illegal penetration access attempts, and the session is discontinued. Applications, databases and web servers are patched to the minor release of the software.
Note: a ‘patch’ is not upgrading software to the full next version.
Cyber security ‘hardening’ to reduce potential vectors into a business’s systems is a continual process of monitoring, upgrading, analysing and researching vulnerabilities.
In typical business risk management, removing risk by changing processes and mitigating risk by predictive observation is reasonable. In effect, the probability of an event occurring has a role in the amount of effort applied to manage the risk.
With cyber security, it should be reasonably assumed that a full range of hacking attempts will be made, including attempts yet unknown.
Cyber security risk management should always lean to removing risks entirely. The outcome of cyber attacks will always lead to business interruption. While budget plays a significant role in being able to close down gaps in security, strong enforcement of tight cyber security policy, coupled with best practice management, will make a business a ‘harder nut to crack’ and less attractive to malicious third parties.
Cyber security should always look to remove risk, rather than live with it.
Watch
Quiz
