Hacking can take many forms and motives. It may range from somebody trying to prove their skills, into an organised crime. Nowadays, organisations have been venturing into the area of online provisioning of services. This usually requires usernames, passwords and other information that are confidential. Through the website, these details are stored in databases.
Now, consider a company like the one described above, which uses online services provisioning system. One day, you switch on your computer and run your browser to connect to the company's website. All out of a shock, you find out that the visual appearance of the website has been altered, as if it is a different website. You look closely to the URL to verify it, but you find there is nothing wrong with it. You look again at the page to see what is going on. You find a message that says a hacking group has infiltrated the website, and they have replaced the company's logo with their own.
You pick up the phone and call the company to inform them about the issue, which they have not noticed yet. The IT team hurries up to find out what is going on using the system logs, to discover that their web server has been compromised for a month, even before "defacing" the website.
The IT team has checked the database, which is linked to the website in order to store customer information that includes confidential details. The content of the database was a mess. Some entries were changed, others were deleted, and many were just misleadingly added.
The company ended up with a situation in which the correct information in the database could not be differentiated from the manipulated information. And to add insult to injury, no backup was taken in the past six months.
The above scenario is one of the worst nightmares that a company can be facing in the cyber world. The losses are tremendous. The company now has lost its reputation, customer details, purchase orders and it has suffered from theft of confidential data. Consequently, this company may go through a series of lawsuits that the customers will file due to breach of confidentiality agreements. It could even go out of business.
After realising that such nightmare exists, you may wonder: shall we stop using online services and go back to the paper era? Is this the only way out of cyber risks? Is the state of cyber security that hopeless? This is absolutely incorrect. Although it is true that there is no such thing as a silver bullet to stop cyber risks, information security specialists have developed several methods, techniques and technologies to reduce and mitigate them.
To put it in a broad perspective, risk is a product of three elements: threat, vulnerability and impact (literally: risk = threat x vulnerability x impact). The objective is to reduce the risk to the value of zero. To achieve that, at least one of these elements should be equal to zero. For example, a certain virus is causing a threat to computers. However, antivirus companies have a definition for the virus. If a computer is running an updated antivirus, then it is not vulnerable to this threat, rendering the risk value to zero.
The same perspective is also applied to the scenario of the online services company. Exposing the system to the internet brings to it a great deal of threats, which cannot be eliminated. This leaves us with two elements to work on: vulnerabilities and impact.
Many best practices can be followed to reduce and potentially eliminate vulnerabilities and impacts. They include, but not limited to, segregation of infrastructure components, deploying defence in depth methodology, bearing in mind multilayered security architecture; as well as keeping the infrastructure components hardened and patched against security holes.
Finally, and as one of the security specialists says; security is a process, not a product. You need to focus on the right approach and processes required to manage your information security against cyber threats; and then look for products that can be put in place to serve your information security management purposes.
- The writer is the monitoring and response team leader at aeCERT (UAE Computer Emergency Response Team). The views expressed are his own
Keep up with the latest business news from the region with the Emirates Business 24|7 daily newsletter. To subscribe to the newsletter, please click here.