Category Archives: Amethyst Risk

Information Security Should Become A Way Of Life For Future Generations

By: Purple Slog

Many people think that the term information security is only concerned with security of digital data. However, information security actually means keeping all types of data secured and protected from any kind of unauthorized use. The unauthorized use may include inspection, destruction, loss, recording, disruption, disclosure, access and modification. The term applies to both digital and physical forms of data.

Information security used to be extremely simple when I started my career in the field of computing. People used to lock their offices and computer rooms and knew that the data was secure. Mag tapes shredding, paper shredding and destruction of old disk drives were the only things needed for information security. In those times, electronic data could not be accessed easily without access to the computer room. Therefore, control on input as well as output media was necessary to secure information/data.

It is true that a lot of changes have taken place in the field of technology since then but the basics of data protection have not changed. If one compares the Data Protection Act of 1998 with the 1984 Act, the basics remain the same.

I have observed a lot of simple data breaches over the years. Some of these breaches are as follows:

  1. People leave confidential papers everywhere without giving second thoughts to the security of those papers. I have found confidential papers left in the meeting rooms, hotel bars, on buses, in bins, on fax machines and on the desks where others can easily see them.
  2. People occasionally send personal details to a wrong address/person.
  3. People make disclosures over the phone that are not supposed to be made over the phone.
  4. People accidentally send e-mails to all the contacts by pasting contact addresses in the ‘To’ field rather than using the “BCC” field.
  5. Computers are regularly discarded without first destroying the hard drives.
  6. People regularly lose USB sticks with important information and those USB sticks are unencrypted.
  7. Laptops with extremely important information are lost on trains, buses and there is no encryption.
  8. People hold onto the data even when they know the data is inaccurate and then that inaccurate data is used inadvertently.
  9. The servers and networks are left unsecured for cyber criminals.
  10. People regularly click on various attachments and links from unknown senders that results in download of malicious softwares and viruses.

I strongly believe that there are many others like me who have witnessed such simple data security breaches due to lack of any information security awareness. Also, things have become more complicated today as data protection is also needed against hackers, phishers, cyber criminals and intruders who do not need physical access to get hands on confidential data.

A lot of new technologies have emerged to protect data from these new potential threats. These new defense technologies include user authentication, encryption, spyware, password protection, antivirus, firewalls, secured logins, regular updating of software and usage of secure transmissions. The truth is that security becomes much easier if a system is designed keeping security as the central objective. On the other hand, securing a system as an afterthought is a hard job.

In September 2013, the International Standards Organization (a.k.a. ISO) released the updated standards for information security. The previous standard released in the year 2005 was outdated and needed an overhaul. This latest standard ISO 27001:2013 covers the latest data protection practices.

This new standard requires following all encompassing data protection and information security practices for obtaining certification. Also, one cannot rest on their laurels after obtaining the certification. Continuous risk assessments, reviews and improvement is part of the standard. It means that this is much more than a merit badge that can be earned by a company. It shows the commitment of the company towards data protection and information security.

The Data Protection Act is enforced by the Office of Information Commissioner (ICO). They published an interesting article last year that outlined the data breaches that happened in the past year and fines imposed by the ICO. It’s ironical that the Office of Information Commissioner was itself breached some time after publication of that article.

All the data breaches in the past few years make the data breaches look easy. It is also important to keep in mind that a data breach can have horrible consequences for individuals as well as the affected companies. It won’t be wrong to say that data protection/information security should be one of the key objectives of all the companies. Also, information security needs to be responsibility of everyone in the company. It is no longer the domain of just the IT department.

President Obama in 2009 mentioned that one of the biggest and most serious national security and economic challenges faced by the country is the emerging cyber threat. Internet has grown a lot since that speech by President Obama. Also, if you have been paying any attention to news, you must have known that there has been a huge increase in the severity as well as volume of cyber threats. With increasing use of cloud computing and mobile devices, cyber crime opportunities are growing at an alarming pace.

I am of the opinion that we are going to see a huge increase in cyber threats in the future. Therefore, data protection as well as security awareness should become a way of life and should not be treated as an isolated responsibility of a particular department. As far as businesses are concerned, all the employees of the business should be given security awareness and data protection training in addition to taking all of the usual physical and technical safety precautions.

All of us need to spread the word and make sure that data protection becomes a way of life for future generations.

Cyber Threat A Matter for National Security – Obama

If there was any doubt about how serious a threat cyber-attacks are being taken these days then the latest proclamations from the White House should serve as a fairly keen indicator.

In a month where the world has once again seen a major online name – in this case the code-sharing site GitHub – the target of a massive DDoS attack, President Obama declared there to be a state of National emergency, noting that the increased frequency and severity of such attacks posed a threat not only to the US (and subsequently, global) economy, but also to its foreign policy and overall national security.

With a clear message of intent the Obama administration have announced their intention to impose severe economic sanctions against individuals, companies and anyone else who are found to target or indeed benefit from cyber-attacks against business, commerce or national security. The sanctions would allow the Government to freeze assets or impose other strict penalties on any person, company or organisation who are deemed to have knowingly used stolen trade secrets.

The announcements are primarily targeted towards foreign attacks with the President saying that US agencies, financial institutions and organisations are being frequently probed for weaknesses in their systems from potential hostile forces abroad. Economic sanctions are being touted as an additional weapon alongside more traditional judicial lines due to the notion that a significant proportion of the attacks are likely industrial espionage style threats, done for financial gain.

There has certainly been a rise globally of both small and large scale attacks on businesses and organisations from the high-profile incidents such as at Sony to a range of DDoS attacks on prominent online networks.

The recent attack on GitHub was, by the company’s own admission, the largest and most sustained it had ever faced. The code-sharing and blogging site found itself on the receiving end of a huge and sustained DDoS attack at the end of March, slowing services down and pummelling the site for more than five days before normal service was resumed.

And, while there’s been no official statement about who or where the attack emanated from, the fact that it was especially targeted at areas of the site focused upon anti-censorship projects in China, has led commentators to speculate about Far Eastern origins.

Such incidents cause only to both reinforce Obama’s statements, in which he noted attempts of hackers from Russia and China to target US defence contractors, as well as highlight the more general notion that cyber crime is not only a global issue but one from which no one no system is immune.

And while, on a geo-political and financial level the world’s major power-players look to enforce sanctions and heightened attention to the issue of cyber security, issues such as the GitHub attack and recent reports on more frequent DDoS incidents serves to remind the leaders of businesses of all sizes across the world, that attention to its online security needs to be vigilant and frequently high on the agenda at all times.

For while it’s unlikely that a company could prevent an attack, measures can certainly be taken in order to protect its data and integrity through even evolving diligence in this new age of world-wide cyber threat.

Rise in DDoS Attacks Could Cost Businesses Up To £100,000 Per Hour

A new report from Neustar has revealed that as much as 40% of the world’s businesses are potentially exposed to the risk of Distributed Denial-of-Service (DDoS) attacks which could result in losses upwards of £100,000 per hour.

Sourced from 250 I.T. professionals from Europe, the Middle East and Africa (EMEA) the report submits that half of those questioned say the risk of a DDoS attack in the workplace has increased in the past year, suggesting that this threat is one of, if not THE, most serious threats to a company’s cyber security in the world today. Indeed, with such a widespread increase across all business types and sectors, organisations across the globe are very fast cottoning onto the fact that it’s when, rather than if, an attack will come and are implementing strategies and services to combat as robustly as possible.

This was backed up in the report by the fact that 70% professionals questioned declared an increase in investment over the past year on DDoD defence strategies – even from the 18% who claimed they’d seen a drop in threat – with 40% claiming that the investment should be increased further in the coming year.

Methods of Defence Being Adopted

For the majority of companies the primary form of defence against a DDoS attack is still the traditional barrier style defence such as firewall protection. However, while firewalls continue to contribute to an I.T. system’s defence, it’s increasingly the case that they alone are insufficient against ever more complex online threats. A third of those surveyed said that their businesses were now combining firewall type protection with other cloud-based traffic-scrubbing for ‘hybrid’ DDoS mitigation strategy.

For most who were adopting this strategy, this involved having an ‘always on’ hardware protecting the system on-site while also using the services of a DDoS mitigation provider to ensure that the company had, as the report states: “The best of both worlds.”

The Risk Is Great

The overwhelming theme that emerges from this report alongside other similar reports and indeed anecdotal evidence from the past 12 months is that the risk posed by DDoS attacks is very real and very potent.

As mentioned at the top of the article, attacks have the capability of causing severe financial implications to an organisation. As well as the 40% who report that attacks can cost them more than £100,000 per hour there are a further 22% who claim losses in the region of £50,000 per hour. As you can see, these are not insignificant numbers by any stretch of the imagination; a fact that has pushed online security issues out of the I.T. department and into the boardroom in terms of priority.

However, beyond the immediate financial losses, attacks have the potential to cause damage to a business in other ways that could result in serious long term problems.

According to one of the case studies used for the report, which was typical of the risks posed, attacks were generally not isolated incidents, with companies often being hit multiple times in the course of a year. And whilst these attacks were generally small scale (on average between 1 and 5Gpbs) their collective impact was potentially huge. Beyond revenue loss there were reported:

  • Customer Data breaches
  • Loss of faith in brand / business
  • Negative impact on customer service provision
  • Effects on promotional activity and spend
  • Loss of intellectual property

The reality is, for most businesses in operation, the size of a DDoS attack will likely be large enough to cause major disruption and probably disable a site with insufficient protection; a fact that, even over short spells, can have a major impact on your business. For this reason it grows ever more crucial that businesses adopt versatile, robust solutions in order to keep their online activity protected and maintain both the finances and integrity of the organisation.