Implementing cybersecurity in a smart environment
Author : Kaspersky Lab
11 October 2017
Shutterstock image
As the stakes between cyber attackers and their targets continue to rise over the coming years, the value of cybersecurity knowledge will only increase. Cybersecurity in 2020 will be marked by subtler, intelligence-led tactics, complemented by human insight and analysis. Threat deception, either on its own or as part of a multi-layered anti-targeted attack process, will be an integral part of this.
As more products and processes are brought online with the adoption of Industry 4.0 solutions, it is increasingly important that companies are aware of the types of attacks to be expected. Connectivity spoke to Kaspersky Lab, a global cybersecurity company with knowledge in deep threat intelligence, about the evolution of security threats and the simple steps companies can take to protect themselves.
One of the biggest threats, facing small businesses in particular, is mobile malware. Such threats are becoming increasingly sophisticated, with mobile botnets, the use of code obfuscation techniques and cybercriminal affiliate schemes make it easy for would-be criminals to make money from mobile malware. As with malware aimed at desktops and laptops, mobile malware is often designed to steal sensitive data. The growing threat of DDoS (distributed denial-of-service) attacks, where an online service is targeted with an overwhelming level of traffic (which can take a company offline), has also been highlighted in recent research by Kaspersky Lab and B2B International. This research also found that only half of the companies questioned regard counter-measures against DDoS attacks as an important component of IT security.
Don’t forget the little guy
SMEs need to know that they’re not immune to attacks. It’s easy for small and medium sized businesses to read the headlines and assume that targeted attack campaigns are directed solely at ‘big names’. However, aside from the fact that all companies have intellectual property, they can be used as stepping-stones to get to another target. Companies in the supply-chain of a large organisation can be the means for penetrating the former. This might be done deliberately, or it may be accidental, as happened to Dropbox in 2011.
They also need to be aware of the fact that not all attacks are targeted at one company or a particular market sector. The lion’s share is made up of more random, speculative attacks designed to gain access to confidential data and, in particular, financial accounts. Small and medium sized businesses typically don’t have the in-house expertise that a large enterprise can call on, which makes them susceptible to the attacks faced by individuals, so they need to ensure they take steps to mitigate the chances of being breached.
Considering cyberattacks on international businesses such as Google and Sony, it’s only natural that smaller businesses are worrying about the state of their online security. Small business owners are under a great deal of pressure as they need to know their core business, as well as having a basic knowledge of many other things including accounting and IT security. However, there is no need to worry, as a few basic rules suffice in gaining IT protection.
A recent report by ENISA (European Network and Information Security Agency) on breaches of data security regulations in European companies puts it in a nutshell: When it comes to IT security, small companies are in a particularly difficult situation. While they all have a great deal of data which requires protection, most of them have neither the staff nor the knowledge to protect it effectively.
SMEs should consider the following four rules to protect themselves:
Back to basics – Ensure all computer systems are equipped with basic protection, i.e. an up-to-date virus scanner and a personal firewall. Rather than implementing multiple solutions which have the potential to be confusing and time-intensive to manage, all-encompassing protection packages can provide modules which work seamlessly together.
Keep it confidential – Many small companies handle extremely sensitive customer data and should be encrypted. Encryption translates data to a secret code and is the most effective way to achieve data security. To read an encrypted file, a key or password is needed to unlock the translated information.
Use correct password – Customer databases, access to email and computers themselves should be protected using passwords. However, these tools are only secure if the passwords used are at least eight characters long and composed of both upper-case and lower-case letters, as well as special characters and numbers. They should also be used only for a single purpose. Memorising a secure password like “3zP_0S$v” and then using it for everything is not good practice. This is when a ‘password manager’ tool can be helpful to a small business as it memorises secure passwords.
Establish rules – Small business owners know which areas of their company need protecting, but what about their employees? In most cases, staff won’t be IT experts either. Two strategies are recommended here; firstly, clear rules should be established for using IT systems, these should specify prohibited activities such as sharing passwords or using USB flash drives. Secondly, rules should be backed up with appropriate security settings.
Where to start?
Shutterstock image
As mentioned earlier, Industry 4.0 adoption will bring more products and processes online, as well as critical and sensitive data. The thought of giving hackers potential easy access to such data is hindering some companies from starting on this ‘smart’ path.
However, bearing the above four rules in mind, there are a few basic steps to follow that will aid any company looking to implement an Industry 4.0 solution:
• Keep the software installed on your PC up to date, and enable the auto-update feature if it is available.
• Wherever possible, choose a software vendor which demonstrates a responsible approach to a vulnerability problem. Check if the software vendor has its own bug bounty programme.
• If you are managing a network of PCs, use patch management solutions that allow for the centralised updating of software on all endpoints under your control.
• Conduct regular security assessments of the organisation’s IT infrastructure.
• Educate your personnel on social engineering as this method is often used to make a victim open a document or a link infected with an exploit.
• Use security solutions equipped with specific exploit prevention mechanisms or at least behaviour-based detection technologies
• Give preference to vendors which implement a multi-layered approach to protection against cyberthreats, including exploits.
Attacks are forever evolving and growing in complexity but by following these steps and implementing best practice, businesses can minimise the exposure and chances of being attacked.
Kaspersky Industrial Cyber Security
Kaspersky Industrial Cybersecurity is a portfolio of technologies and services designed to secure every industrial layer, including SCADA servers, HMI panels, engineering workstations, PLCs, network connections and people – without impacting on operational continuity and consistency of the technological process.
By addressing every possible stage of IT incidents, Kaspersky Lab solutions deliver a holistic, adaptive and strategic approach to enterprise security. The philosophy is straightforward: the best intelligence combined with the best technologies delivers the best protection.
Kaspersky’s industrial cyber security portfolio focuses on building behaviour, not just delivering knowledge: the learning approach involves gamification, learning-by-doing, group dynamics, simulated attacks, learning paths, automated reinforcement of skills, etc. This results in strong behavioural patterns and produces long-lasting cybersecurity improvement.
It offers serious and practical content, delivered as a series of interactive exercises finetuned to meet the business needs and time/format preferences of different organisational levels: senior managers, line managers, average employees.
Its real-time measurement, painless programme management and purpose-built training software delivers automated training assignments, skills assessments, and reinforcement through repeated simulated phishing attacks and autoenrollment in training modules. Courses can be managed and delivered by Kaspersky Lab partners or by the customer’s own T&D teams (Train-the-Trainer programmes and support are provided by Kaspersky Lab).
Contact Details and Archive...