Mirroring the continued rapid development of information and communication technology is the ever present reality of the risks presented by the dependence of society – and business – on the products of this industry. But while the nature of technology lends itself to compromise, an effective security posture depends on awareness of the risks and appropriate behaviour to prevent threats becoming a reality.
That’s according to Michael Heaney, security specialist with Ernst & Young’s Technology and Risk Services, who says personal habits are at the root of ensuring effective risk management. “Even within the largest company, overall security rests with each individual who comes to work. Bad habits with information, whether it is hard copy or digital data, can result in compromise.”
The answer to a better posture lies in taking what Heaney describes as an information-centric approach, in terms of which protecting the data and the data lifecycle takes precedence over protection of the technical devices and transportation technologies.
“Whether you are surfing the Internet from the comfort of your home, walking along the Johannesburg CBD with you cell phone, or using your 3G connection from a Sandton coffee shop, you are leaving ‘electronic footprints which can easily be sniffed, stored, duplicated and searched for an indefinite period of time,” Heaney notes.
Simultaneously, hard copy information offers criminals just as good an opportunity to take advantage of data leakage. “Many documents which are passed around in the corporate environment or which end up in the trash can contain information which can be useful to miscreants, giving them snippets which can be combined with cyber-methods to perpetrate crimes,” he says.
Protecting information, whether the written word or electronic data, is the watchword.
In the context of a South Africa in which white collar crime is on the rise and with the reality of cyber criminals and the threats they propagate becoming extremely sophisticated, Heaney says it is a necessary to maintain vigilance and an appropriate security posture, as an individual and as a member of a corporate entity.
He adds that external threats may have started as a challenge for those with advanced computer skills, but today the focus has turned strongly towards financial gain. With spam having increased by 70% in the last year, and with Trojan Horse viruses comprising some 80% of attacks, cybercriminals are aggressively seeking to enrich themselves at your expense,” he continues.
He points to identity theft, data leakage and the activities of operatives seeking to steal identity numbers, credit card data, bank account numbers and other data to fund their operations as top concerns.
Spam is regularly geared to entice unsuspecting recipients to part with their personal information or to push the sale of sometimes suspect goods. Trojan Horses, meanwhile, masquerade as legitimate mail, but surreptitiously install software which can steal sensitive data such as bank passwords and usernames.
“Identity theft, where personal information is intercepted and used for illegal purposes, such as opening lines of credit, is not an issue confined to the United States or Europe issue. Like any other aspect of the Internet, it is a globalised ‘business’ for criminals, and instances are occurring with increasing regularity in South Africa, too,” Heaney adds.
Email and messaging threats continues to be one of the prime attack vectors for hackers looking to plant malware on corporate networks.
“Viruses, spam, Trojans and other mail-borne malware can cause serious network disruptions and lead to data thefts and financial losses. Hackers are also turning their attention to RFID tags and readers, mobile devices and hardware drivers and using advanced techniques such as rootkits and self-morphing Trojans to gain control of PCs,” says Heaney.
A rootkit is a programme designed to take fundamental unauthorized control of a computer system.
“Email attacks are more focused and targeted. There has been a shift away from attacks of mass proportion, such as network denial of service attacks and the defacements of websites. Today, targeted attacks are more profitable to the attacker, as they are more efficient at obtaining useful information such as credit card or account details,” says Heaney.
While these threats may seem insurmountable, he believes the game is changing as those seeking to protect information are becoming more organized and effective.
“The information security chess game has just become more interesting. Organisations in the past kept personal attacks to themselves; attackers, who arguably had the upper hand, were making the smart moves. Organisations, often individually had to defend themselves, predominantly in reactive mode.
“Now, the defenders have evolved into a mature community, where information is being shared, defence and even attack strategies worked out in a collaborative forum and leading edge technologies and safeguarding methodologies developed and exploited together. This is making it more difficult for the perpetrators to succeed – but preventing yourself and your company from attack remains a personal commitment,” he says.