Chapter 8 - Cyber Security Threats

Question 1

Questions to ask about Cyber Risk:

Answer 1

• How are data and operating systems protected from unauthorised access and manipulation?
• How are breaches identified, analysed, remedied and reported?

Question 2

What is cyber security?

Answer 2

• Practice of protecting systems, networks and programs from digital attacks
• Cyberattacks are aimed at: accessing, changing or destroying sensitive info, extorting money from users or interrupting normal business processes

Question 3

Examples of sensitive info:

Answer 3

• Customers, suppliers and employee personal data
• Org’s own financial records
• Data stored within infrastructure and operating systems
• Medical data from employees, customers and other stakeholders
• Intellectual property which may be of value if it can be illegally accessed
• Operational data – locations of sensitive assets

Question 4

Cybersecurity objectives:

Answer 4

• Availability
• Confidentiality
• Integrity of data
• Integrity of processing
• Establishing, maintaining and approving objectives

Question 5

Cybersecurity objective - availability:

Answer 5

• Availability objectives = opening data up to those who have the right to access it

Question 6

Cybersecurity objective - confidentiality:

Answer 6

• There are legal requirements to maintain confidentiality over data across many jurisdictions
• Confidentiality objectives = stopping data from being accessed by those who do not have the right to access it

Question 7

Cybersecurity objective - Integrity of data:

Answer 7

• Objectives should ensure that data is kept secure and not lost or corrupted at all stages of life cycle
• Objectives to verify reliability of data used for decisions (source), its intelligibility (what it is saying) and accuracy (is it valid?)

Question 8

Cybersecurity objective - Integrity of processing:

Answer 8

Objectives should ensure:

• processing does not abuse or lose data
• encourages efficient usage and
• ensures that data is only used for stated, legitimate purposes

Question 9

Cybersecurity objective - establishing, maintaining and approving objectives:

Answer 9

• Org’s need to have formal process for establishing, maintaining and approving cyber security objectives
• Objectives would need board approval – dedicated cybersecurity expert or IT expertise
• Support from third parties creates trust issues, which creates risk
• Boards need to monitor success of objectives

Question 10

Organisational characteristics to consider when setting objectives:

Answer 10

• Technologies
• Connection types and service providers
• Delivery channels

Question 11

Considering technologies used as part of business model:

Answer 11

• Proportion of activity that is online
• Amount of digital interaction with customers and other stakeholders
• Type of data collected and way it is used + stored

Question 12

Considering connection types and service providers:

Answer 12

• Connection types = physical or virtual, wired or wireless, networked or standalone, national or international
• Reliance on service providers creates cybersecurity risks – cloud-based computing and managing valuable data

Question 13

What is cloud-based computing?

Answer 13

Solution for providing digital storage and processing that uses a separate org’s capacity and is only accessible online

Question 14

Risks of cloud-based computing:

Answer 14

• Loss of data if provider is affected by an incident itself
• Reliance on a functioning network to gain access to own data
• Concerns over whether cloud computing provider is susceptible to cybersecurity breach
• Legal action from org’s stakeholders if data is compromised while stored on a cloud computing provider

Question 15

Considering delivery channels for data:

Answer 15

1. Website:
   * Collect data + interact with stakeholders
   * Creates risk to sensitive data
2. Intranet:
   * Internal website that can be accessed remotely
   * Creates risk to digital data
3. Email:
   * Spam is main risk – includes interception, eavesdropping and spoofing (impersonation to gain advantage)
   * Compromises integrity of email and requires controls to be in place
4. Telephone:
   * Subject to eavesdropping and interception
   * Compromise confidentiality of discussions
5. Instant messaging:
   * Spoofing as SPIM (IM equivalent of spam)
   * Could lead to service charges for users + highlights limited controls
6. Social media:
   * Can be accessed illegally
   * Creates risk that messages are posted that org has not approved

Question 16

Cybersecurity objectives should be considered in terms of PESTEL:

Answer 16

Political:
* New legislation raising security standards
* Global geopolitical cybersecurity risks – state-sponsored data hacking and foreign investment in utility companies who can access personal data
Economic:
* Failure of systems due to hacking/ poor design and operation can cost org’s significant amounts of money
Social:
* Customers are increasingly sensitive to impact of security breaches – requires org’s to understand and meet social concerns for better protection of all data
Technological changes:
* Advances in tech is likely to be exploited by organised cybercriminality for profit
* Does provide opportunities as well such as artificial intelligence and big data to monitor digital activity more thoroughly
Environmental changes:
*Hurricane, earthquake or tsunami – org’s need contingency plans in place
Legal:
* New regulation to protect against cybercrime
* Sarbanes-Oxley = encourages org’s to be proactive in development of cybersecurity policies and this raises compliance levels which could be stipulated in contractual agreements

Question 17

Risks presented by systems and networks:

Answer 17

• Remote access instead of physical – anyone can gain access if they have right credentials
• Systems being left open to allow operations to occur – need to know who to let in and who to stop
• Failure by third parties who provide systems and networks
• Natural risks such as flood, power cuts, earthquake and accidents

Question 18

What is malware?

Answer 18

Attempts to gain unauthorised access to org’s in order to damage/ disrupt computers or networks and steal/affect sensitive info

Question 19

What is a virus?

Answer 19

• Attaches itself to existing programme and spreads as that programme is used, shared or accessed across existing network
• Require a target/host user to initiate it (user clicks on it)

Question 20

What is a worm?

Answer 20

• Does not require user to launch it to cause damage
• Standalone software – don’t attach themselves to host/target programmes
• Operate independently – enter a systems via an existing vulnerability and spreads as host/target operates normally

Question 21

What is a trojan?

Answer 21

• Will not spread once infiltrated a network and has been launched by user
• It will sit within network and can operate functions such as harmless pop-up ads to more serious forms of malware that can allow access to external users

Question 22

What are bots?

Answer 22

• Automated process
• Web crawlers gather info and does not always represent a malware threat
• Botnet = access a series of networks and allow malicious user to control them remotely
• Some act as keyloggers = record keys pressed by users in an attempt to access password-protected content

Question 23

Transportation of malware:

Answer 23

• Accidentally downloaded by users from internet
• Unknowing attached to emails and then accidentally clicked
• Inadvertently carried on storage devices (USB drives)
• Sophisticated malware can spread independently across computers and networks

Question 24

Internal & External Malware threats:

Answer 24

Internal malware threats:
* Employees could fail to observe cybersecurity protocols
* Employees who hold a grudge could deliberately introduce malware either for financial gain or fun
External malware threats:
* Hacking for extortion, publicity, spyware or revenge

Question 25

Defences against malware:

Answer 25

* Perimeter defences (firewalls) = spot threats as they pass through and monitor actions of emails once they have entered org’s systems for illegal activity * Segmentation into different compartmentalised parts to help contain infiltrated malware * Housekeeping activities = ensuring software and systems are regularly updated and taking regular back-up copies * Gatekeeping controls (e.g. I am not a robot)

Question 26

What is hacking?

Answer 26

Gaining access to info that you are not meant to access and without users knowledge (illegally)

Question 27

What is phishing?

Answer 27

* Theft of login details, credit card numbers or passwords for personal gain * Requires personal info to be divulged willingly for a purpose that appears logical but is criminal * Incredibly effective method of using email to circumvent org’s controls

Question 28

What is ransomware?

Answer 28

Extorting money by blocking access to files or systems until a fee is paid

Question 29

What is Distributed denial-of-service attacks?

Answer 29

* Disabling a system by bombarding it with more activity than it can cope with * They can focus on volume = sheer no of contacts made can disable systems * Some trigger certain applications, flooding target systems with requests that keep it busy * Protocol based DDoS generates requests that require specific responses, flooding the targets system with too much activity

Question 30

Examples of web application attacks:

Answer 30

* Hacking * Phishing * Ransomware * DDoS

Question 31

Defences against web application attacks:

Answer 31

* Firewalls * Antivirus software that is kept up to date * Other operating software that is legitimate and supported by developer * Encourage better user education * Filters to block potential malicious emails * Adaptive technology to spot new and emerging threats * Systems of trust * Certify emails by independent certification (McAfee)

Question 32

What is a white-hat hacker?

Answer 32

* Work for owners of a system | * Look for gaps in the systems and informing owners of weaknesses to be improved

Question 33

What is a black-hat hacker?

Answer 33

* Find gaps in cybersecurity and exploit them for own malicious purposes

Question 34

What is a grey-hat hacker?

Answer 34

* Won’t be working for owner of a system * Flag weaknesses and fix them for a fee without exploitation * Or post details online for all users to see if there is no response from owner

Question 35

What is social engineering?

Answer 35

* Exploiting someone’s trust to gain physical or virtual access to data * Occur digitally or in real world by blagging or somehow finding a way into company (fake identification, uniform or cover story) * Dumpster diving for old, disposed machinery

Question 36

Opportunities from white-, black- and grey-hat hackers:

Answer 36

* Black-hat hackers can create malware threats that could lead to extra costs, lost data and additional work that could be prevented by having adequate defences * Security testing – using white-hat and grey-hat hackers to test security defences * Simulations – white-hat hackers can conduct simulation tests to train staff and raise awareness * Peer review – audits by peers can lead to comparative analysis to highlight areas for improvement (less resource intensive approach)

Question 37

Downside risks form cybersecurity breaches:

Answer 37

* Lead to operational downtime while it is addresses – may lead to lost of sales * Cost of repairs/ upgrades can be significant * Adverse impact on company’s share price * Questions may emerge over quality of org’s leadership and management * May be loss of customers if dissatisfied with service * Loss of reputation * Legal and industry consequences – breaching GDPR can lead to fine of €20million or 4% of global revenues, which ever is higher